From 16583925c443ff5a1f44fb528778031ec74281aa Mon Sep 17 00:00:00 2001
From: Ben Adida <ben@adida.net>
Date: Thu, 8 Sep 2011 17:17:27 -0700
Subject: [PATCH] fixed verification of primaries

---
 verifier/lib/certassertion.js | 33 ++++++++++++++-------------------
 1 file changed, 14 insertions(+), 19 deletions(-)

diff --git a/verifier/lib/certassertion.js b/verifier/lib/certassertion.js
index 5a9707512..bb8d2569c 100644
--- a/verifier/lib/certassertion.js
+++ b/verifier/lib/certassertion.js
@@ -140,28 +140,23 @@ function retrieveHostPublicKey(host, successCB, errorCB) {
 function verify(assertion, audience, successCB, errorCB, pkRetriever) {
   // assertion is bundle
   var bundle = vep.unbundleCertsAndAssertion(assertion);
-  
+
+  var theIssuer;
   jwcert.JWCert.verifyChain(bundle.certificates, function(issuer, next) {
-    console.log("ISSUER is " + issuer);
-    // for now, only support the browserid.org issuer
-    if (issuer != configuration.get('hostname')) {
-      // allow other retrievers for now for testing
-      //
-      // retrieve the public key for the issuer and
-      // pass it to the continuation
-      if (pkRetriever)
-        pkRetriever(issuer, next);
-      else
-        next(null);
-
-      return;
+    theIssuer = issuer;
+    // allow other retrievers for testing
+    if (pkRetriever)
+      pkRetriever(issuer, next);
+    else
+      retrieveHostPublicKey(issuer, next, function(err) {next(null);});
+  }, function(pk, principal) {
+    // primary?
+    if (theIssuer != configuration.get('hostname')) {
+      // then the email better match the issuer
+      if (!principal.email.match("@" + theIssuer + "$"))
+        return errorCB();
     }
 
-    // retrieve the public key for real
-    retrieveHostPublicKey(issuer, next, function(err) {
-      next(null);
-    });
-  }, function(pk, principal) {
     var tok = new jwt.JWT();
     tok.parse(bundle.assertion);
 
-- 
GitLab