use cert chain verifier from jwcrypto

0733ed04 · Ben Adida · 53419717 · 0733ed04 · 0733ed04 · 0733ed04
Commit 0733ed04 authored 13 years ago by Ben Adida
--- a/browserid/lib/ca.js
+++ b/browserid/lib/ca.js
@@ -93,22 +93,14 @@ function certify(email, publicKey, expiration) {
 }

 function verifyChain(certChain) {
-  // the certChain is expected to be ordered
-  // first cert signed root, next cert signed by first, ...
-  // returns the last certified public key
-  var currentPublicKey = PUBLIC_KEY;
-  for (var i =0; i < certChain.length; i++) {
-    var cert = certChain[i];
-    if (!cert.verify(currentPublicKey)) {
-      return false;
-    }
-
-    // the public key for the next verification is..
-    currentPublicKey = cert.pk;
-  }
-
-  // return last certified public key
-  return currentPublicKey;
+  // raw certs
+  return jwcert.JWCert.verifyChain(certChain, function(issuer) {
+    // for now we only do browserid.org issued keys
+    if (issuer != "browserid2.org")
+      return null;
+
+    return PUBLIC_KEY;
+  });
 }

 // exports, not the key stuff

--- a/browserid/tests/ca-test.js
+++ b/browserid/tests/ca-test.js
@@ -61,13 +61,12 @@ var email_addr = "foo@foo.com";
 suite.addBatch({
  "certify a public key": {
    topic: ca.certify(email_addr, kp.publicKey),
-    "parses" : function(r, err) {
-      var cert = ca.parseCert(r);
+    "parses" : function(cert_raw, err) {
+      var cert = ca.parseCert(cert_raw);
      assert.notEqual(cert, null);
    },
-    "verifies": function(r, err) {
-      var cert = ca.parseCert(r);
-      assert.isTrue(ca.verifyChain([cert]).equals(kp.publicKey));
+    "verifies": function(cert_raw, err) {
+      assert.isTrue(kp.publicKey.equals(ca.verifyChain([cert_raw])));
    }
  },
  "certify a chain of keys": {

--- a/browserid/tests/cert-emails-test.js
+++ b/browserid/tests/cert-emails-test.js
@@ -148,7 +148,19 @@ suite.addBatch({
        assert.equal(full_assertion.assertion.split(".").length, 3);
      },
      "assertion verifies": {
-        topic: function(full_assertion) {return wsapi.get(cert_key_url, { assertion: full_assertion, audience: "rp.com" })();},
+        topic: function(full_assertion) {
+          // check that the assertion is verified by the public key in the chain cert
+          var cert_chain = [];
+          for (var i=0; i<full_assertion.certificates.length; i++) {
+            var cert = new jwcert.JWCert();
+            cert.parse(full_assertion.certificates[i]);
+            cert_chain[cert_chain.length] = cert;
+          }
+
+          // extract public key at the tail of the chain
+          var pk = ca.verifyChain(cert_chain);
+          
+        },
        "verifies": function(result) {
          assert.isTrue(result);
        }

--- a/jwcrypto @ 54af6b4c
+++ b/jwcrypto @ 54af6b4c
-Subproject commit 43535b130439a8f346e5758ded8c8fc30e927162
+Subproject commit 54af6b4cac37e8a4b6a90808bda07765f47125f5