Permalink
Browse files

updated certificate format

  • Loading branch information...
1 parent fd4f47c commit 5ff36d7571e170e908b8a72bb88436fc20885394 @benadida benadida committed Jul 20, 2012
Showing with 81 additions and 24 deletions.
  1. +9 −4 README.md
  2. +7 −1 lib/assertion.js
  3. +58 −12 lib/cert.js
  4. +5 −5 test/cert-test.js
  5. +2 −2 test/format-test.js
View
@@ -134,13 +134,18 @@ Sometimes the JSON objects to sign are certificates
var assertionParams = {issuer: "foo.com", issuedAt: new Date(),
expiresAt: new Date()};
+ // cert params, kid is optional, others are required
+ var certParams = {kid: "key-2012-08-11",
+ publicKey: keyToCertify,
+ principal: principal};
+
var additionalPayload = {};
// payload cannot contain reserved fields
- cert.sign(keyToCertify, principal,
- assertionParams, additionalPayload,
- keypair.secretKey,
- function(err, signedObject) {
+ cert.sign(certParams,
+ assertionParams, additionalPayload,
+ keypair.secretKey,
+ function(err, signedObject) {
// normal signedObject
// can be verified with jwcrypto.verify
View
@@ -18,7 +18,13 @@ SERIALIZER._LEGACY_serializeAssertionParamsInto = function(assertionParams, para
SERIALIZER._20120815_serializeAssertionParamsInto = function(assertionParams, params) {
this._LEGACY_serializeAssertionParamsInto(assertionParams, params);
- params.version = "2012.08.15";
+
+ if (params.version) {
+ if (params.version != "2012.08.15")
+ throw new Error("cannot serialize an assertion in a different format than is prescribed by overlaying data structure, e.g. cert");
+ } else {
+ params.version = "2012.08.15";
+ }
}
var serializeAssertionParamsInto = function(assertionParams, params) {
View
@@ -6,15 +6,63 @@ var jwcrypto = require("./jwcrypto"),
assertion = require("./assertion"),
utils = require("./utils"),
delay = utils.delay,
+ version = require("./version"),
und = require("./underscore.js");
-exports.sign = function(publicKeyToSign, principal,
- assertionParams, additionalPayload,
+var SERIALIZER = {};
+
+SERIALIZER._LEGACY_serializeCertParamsInto = function(certParams, params) {
+ params['public-key'] = certParams.publicKey.toSimpleObject();
+ params.principal = certParams.principal;
+};
+
+SERIALIZER._20120815_serializeCertParamsInto = function(certParams, params) {
+ params['publicKey'] = certParams.publicKey.toSimpleObject();
+ params.principal = certParams.principal;
+
+ params.version = "2012.08.15";
+}
+
+var serializeCertParamsInto = function(certParams, params) {
+ version.dispatchOnDataFormatVersion(SERIALIZER, 'serializeCertParamsInto', version.getDataFormatVersion(), certParams, params);
+};
+
+SERIALIZER._LEGACY_extractCertParamsFrom = function(params) {
+ var certParams = {};
+
+ certParams.publicKey = jwcrypto.loadPublicKey(JSON.stringify(params['public-key']));
+ delete params['public-key'];
+ certParams.principal = params.principal;
+ delete params.principal;
+
+ return certParams;
+};
+
+SERIALIZER._20120815_extractCertParamsFrom = function(params) {
+ delete params.version;
+
+ var certParams = {};
+
+ certParams.publicKey = jwcrypto.loadPublicKey(JSON.stringify(params.publicKey));
+ delete params.publicKey;
+ certParams.principal = params.principal;
+ delete params.principal;
+
+ return certParams;
+};
+
+
+function extractCertParamsFrom(params, originalComponents) {
+ return version.dispatchOnDataFormatVersion(SERIALIZER, 'extractCertParamsFrom', originalComponents.payload.version, params);
+};
+
+
+exports.sign = function(certParams, assertionParams, additionalPayload,
secretKey, cb) {
var payload = {};
utils.copyInto(additionalPayload || {}, payload);
- payload['public-key'] = publicKeyToSign.toSimpleObject();
- payload.principal = principal;
+
+ serializeCertParamsInto(certParams, payload);
assertion.sign(payload, assertionParams, secretKey, cb);
};
@@ -25,13 +73,11 @@ var verify = function(signedObject, publicKey, now, cb) {
return cb(err);
// compatible with old format
- var publicKey = jwcrypto.loadPublicKey(JSON.stringify(payload['public-key']));
- delete payload['public-key'];
- var principal = payload.principal;
- delete payload.principal;
+ var originalComponents = jwcrypto.extractComponents(signedObject);
+ var certParams = extractCertParamsFrom(payload, originalComponents);
// make the key appear under both public-key and publicKey
- cb(err, payload, assertionParams, {principal: principal, 'public-key': publicKey, publicKey: publicKey});
+ cb(err, payload, assertionParams, certParams);
});
};
@@ -77,9 +123,9 @@ var verifyChain = function(certs, now, getRoot, cb) {
certParams: certParams});
if (i >= certs.length)
- cb(null, certParamsArray, certParams['public-key']);
+ cb(null, certParamsArray, certParams.publicKey);
else
- delay(verifyCert)(i, certParams['public-key'], certParamsArray, cb);
+ delay(verifyCert)(i, certParams.publicKey, certParamsArray, cb);
});
}
@@ -127,7 +173,7 @@ exports.verifyBundle = function(bundle, now, getRoot, cb) {
}
// what was the last PK in the successful chain?
- var lastPK = certParamsArray[certParamsArray.length - 1].certParams['public-key'];
+ var lastPK = certParamsArray[certParamsArray.length - 1].certParams.publicKey;
// now verify the assertion
assertion.verify(signedAssertion, lastPK, now, function(err, payload, assertionParams) {
View
@@ -30,7 +30,7 @@ testUtils.addBatches(suite, function(alg, keysize) {
};
// yes, we're signing our own public key, cause it's easier for now
- cert.sign(keypair.publicKey, {email: "john@issuer.com"},
+ cert.sign({publicKey: keypair.publicKey, principal:{email: "john@issuer.com"}},
assertionParams, null, keypair.secretKey, self.callback);
});
},
@@ -71,7 +71,7 @@ testUtils.addBatches(suite, function(alg, keysize) {
assert.isNotNull(assertionParams.issuedAt);
assert.isNotNull(assertionParams.expiresAt);
assert.isObject(certParams.principal);
- assert.isObject(certParams['public-key']);
+ assert.isObject(certParams.publicKey);
// make sure iss and exp are dates
assert.isFunction(assertionParams.issuedAt.getFullYear);
@@ -108,10 +108,10 @@ testUtils.addBatches(suite, function(alg, keysize) {
jwcrypto.generateKeypair({algorithm: alg, keysize: keysize}, function(err, intermediate_kp) {
jwcrypto.generateKeypair({algorithm: alg, keysize: keysize}, function(err, user_kp) {
// generate the two certs
- cert.sign(intermediate_kp.publicKey, {host: "intermediate.root.com"},
+ cert.sign({publicKey: intermediate_kp.publicKey, principal: {host: "intermediate.root.com"}},
{issuer: "root.com", issuedAt: new Date(), expiresAt: expiration}, null,
root_kp.secretKey, function (err, signedIntermediate) {
- cert.sign(user_kp.publicKey, {email: "john@root.com"},
+ cert.sign({publicKey: user_kp.publicKey, principal: {email: "john@root.com"}},
{issuer: "intermediate.root.com", issuedAt: new Date(), expiresAt: expiration},
null, intermediate_kp.secretKey,
function(err, signedUser) {
@@ -211,7 +211,7 @@ testUtils.addBatches(suite, function(alg, keysize) {
};
// yes, we're signing our own public key, cause it's easier for now
- cert.sign(keypair.publicKey, {email: "user@example.com"},
+ cert.sign({publicKey: keypair.publicKey, principal: {email: "user@example.com"}},
assertionParams, null, keypair.secretKey, function(err, signedObj) {
cert.verify(signedObj, keypair.publicKey, new Date(), self.callback);
});
View
@@ -125,7 +125,7 @@ suite.addBatch({
suite.addBatch({
"sign a cert": {
topic: function() {
- jwcrypto.cert.sign(userKeypair.publicKey, {email: EMAIL},
+ jwcrypto.cert.sign({publicKey: userKeypair.publicKey, principal: {email: EMAIL}},
{issuedAt: now, issuer: ISSUER, expiresAt: in_a_minute},
{},
domainKeypair.secretKey, this.callback);
@@ -155,7 +155,7 @@ suite.addBatch({
assert.equal(components.payload.principal.email, EMAIL);
assert.equal(Object.keys(components.payload.principal).length, 1);
- assert.equal(JSON.stringify(components.payload['public-key']), userKeypair.publicKey.serialize());
+ assert.equal(JSON.stringify(components.payload.publicKey), userKeypair.publicKey.serialize());
// optionally version

0 comments on commit 5ff36d7

Please sign in to comment.