diff --git a/browserid/lib/ca.js b/browserid/lib/ca.js index 45fa726039742876be4e4f2ffa12f09d992ee7a3..fd1b5bc2daa1f30eb0bc851df8e33fa551aa0637 100644 --- a/browserid/lib/ca.js +++ b/browserid/lib/ca.js @@ -95,10 +95,10 @@ function certify(email, publicKey, expiration) { return new jwcert.JWCert("browserid.org", new Date(), publicKey, {email: email}).sign(SECRET_KEY); } -function verifyChain(certChain, publicKey) { +function verifyChain(certChain) { // the certChain is expected to be ordered // first cert signed root, next cert signed by first, ... - // last cert should contain the expected public key + // returns the last certified public key var currentPublicKey = PUBLIC_KEY; for (var i =0; i < certChain.length; i++) { var cert = certChain[i]; @@ -110,8 +110,8 @@ function verifyChain(certChain, publicKey) { currentPublicKey = cert.pk; } - // pk matches? - return currentPublicKey.serialize() == publicKey.serialize(); + // return last certified public key + return currentPublicKey; } // exports, not the key stuff diff --git a/browserid/tests/ca-test.js b/browserid/tests/ca-test.js index 225a2231c5b44d14d761f765c7252743f637270e..2806cca23b5d3d031eb01bfe54a2b1bdfa903707 100755 --- a/browserid/tests/ca-test.js +++ b/browserid/tests/ca-test.js @@ -66,7 +66,7 @@ suite.addBatch({ }, "verifies": function(r, err) { var cert = ca.parseCert(r); - assert.isTrue(ca.verifyChain([cert], kp.publicKey)); + assert.isTrue(ca.verifyChain([cert]).equals(kp.publicKey)); } }, "certify a chain of keys": { diff --git a/browserid/tests/cert-emails-test.js b/browserid/tests/cert-emails-test.js index 736e310f357d4414750142308b09f874422c4a49..556cb31d87d6612a75086b130d3f63f15343452c 100755 --- a/browserid/tests/cert-emails-test.js +++ b/browserid/tests/cert-emails-test.js @@ -102,8 +102,9 @@ suite.addBatch({ var cert_key_url = "/wsapi/cert_key"; -var pubkey = '-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMKlDDHBs5/B0uHDF3AZqOqzavAvpESI\nxEy2/6/p0gOhlUhkj/fWnQWyhM4lU3Ts5+aCzCoQvlWDGePphk8H9FMCAwEAAQ==\n-----END PUBLIC KEY-----\n'; -var pk_obj = jws.getByAlg("RS").PublicKey.deserialize(pubkey); +// generate a keypair, we'll use this to sign assertions, as if +// this keypair is stored in the browser localStorage +var kp = jws.getByAlg("RS").KeyPair.generate(64); suite.addBatch({ "cert key with no parameters": { @@ -119,7 +120,7 @@ suite.addBatch({ } }, "cert key invoked with proper argument": { - topic: wsapi.post(cert_key_url, { email: 'syncer@somehost.com', pubkey: pubkey }), + topic: wsapi.post(cert_key_url, { email: 'syncer@somehost.com', pubkey: kp.publicKey.serialize() }), "returns a response with a proper content-type" : function(r, err) { assert.strictEqual(r.code, 200); assert.isTrue(r.headers['content-type'].indexOf('application/json; charset=utf-8') > -1); @@ -128,7 +129,7 @@ suite.addBatch({ var cert = new jwcert.JWCert(); cert.parse(JSON.parse(r.body)); - assert.isTrue(ca.verifyChain([cert], pk_obj)); + assert.isTrue(ca.verifyChain([cert]).equals(kp.publicKey)); } } // NOTE: db-test has more thorough tests of the algorithm behind the sync_emails API diff --git a/lib/jwcrypto b/lib/jwcrypto index 63912eac29589c421d01a70826a74c6b5ef79829..9aaa4c075c9b4f6188b5f0098e641f21f2c30a2a 160000 --- a/lib/jwcrypto +++ b/lib/jwcrypto @@ -1 +1 @@ -Subproject commit 63912eac29589c421d01a70826a74c6b5ef79829 +Subproject commit 9aaa4c075c9b4f6188b5f0098e641f21f2c30a2a