diff --git a/lib/jwcrypto b/lib/jwcrypto index 299db4be7b6fc30a7d5a94815a143560f0cfc1ac..8cbb157af1dd2b544d08422a4c3c32ff26d6534a 160000 --- a/lib/jwcrypto +++ b/lib/jwcrypto @@ -1 +1 @@ -Subproject commit 299db4be7b6fc30a7d5a94815a143560f0cfc1ac +Subproject commit 8cbb157af1dd2b544d08422a4c3c32ff26d6534a diff --git a/verifier/app.js b/verifier/app.js index bf6571161d9fc601261999e84edc55d8399a9ca4..db7c14b17f6ad1a0730d6147bd12f37e5f4611d4 100644 --- a/verifier/app.js +++ b/verifier/app.js @@ -40,7 +40,6 @@ const path = require('path'), httputils = require('./lib/httputils.js'), idassertion = require('./lib/idassertion.js'), certassertion = require('./lib/certassertion.js'), - jwt = require('./lib/jwt.js'), express = require('express'), metrics = require('../libs/metrics.js'), logger = require('../libs/logging.js').logger; @@ -54,18 +53,15 @@ logger.info("verifier server starting up"); function doVerify(req, resp, next) { req.body = req.body || {} var assertion = (req.query && req.query.assertion) ? req.query.assertion : req.body.assertion; - var certificates = (req.query && req.query.certificates) ? req.query.certificates : req.body.certificates; var audience = (req.query && req.query.audience) ? req.query.audience : req.body.audience; - if (!(assertion && audience && certificates)) - return resp.json({ status: "failure", reason: "need assertion, certificates audience" }); + if (!(assertion && audience)) + return resp.json({ status: "failure", reason: "need assertion and audience" }); // removed CORS support, encourages wrong implementation approach - var cert_list = certificates.split(","); - certassertion.verify( - cert_list, assertion, audience, + assertion, audience, function(email, audience, expires) { resp.json({ status : "okay", diff --git a/verifier/lib/certassertion.js b/verifier/lib/certassertion.js index c4d988b59ac6a0698b15fc31904eeeef3cfca0e5..b2ed480d6c14aa7fc46f9842d9a710e3374592ce 100644 --- a/verifier/lib/certassertion.js +++ b/verifier/lib/certassertion.js @@ -44,6 +44,7 @@ url = require("url"), jwk = require("../../lib/jwcrypto/jwk"), jwt = require("../../lib/jwcrypto/jwt"), jwcert = require("../../lib/jwcrypto/jwcert"), +vep = require("../../lib/jwcrypto/vep"), logger = require("../../libs/logging.js").logger; // configuration information to check the issuer @@ -122,14 +123,16 @@ function retrieveHostPublicKey(host, successCB, errorCB) { // verify the tuple certList, assertion, audience // -// certList is an array of serialized certs (strings) -// assertion is a serialized jwt (string) +// assertion is a bundle of the underlying assertion and the cert list // audience is a web origin, e.g. https://foo.com or http://foo.org:81 // // pkRetriever should be sent in only by code that really understands // what it's doing, e.g. testing code. -function verify(certList, assertion, audience, successCB, errorCB, pkRetriever) { - jwcert.JWCert.verifyChain(certList, function(issuer, next) { +function verify(assertion, audience, successCB, errorCB, pkRetriever) { + // assertion is bundle + var bundle = vep.unbundleCertsAndAssertion(assertion); + + jwcert.JWCert.verifyChain(bundle.certificates, function(issuer, next) { // for now, only support the browserid.org issuer if (issuer != "browserid.org") { // allow other retrievers for now for testing @@ -148,7 +151,7 @@ function verify(certList, assertion, audience, successCB, errorCB, pkRetriever) retrieveHostPublicKey(issuer, next); }, function(pk, principal) { var tok = new jwt.JWT(); - tok.parse(assertion); + tok.parse(bundle.assertion); // audience must match! if (tok.audience != audience) diff --git a/verifier/test/certassertion-test.js b/verifier/test/certassertion-test.js index 8e0d0f294e7e5a1bb8da23bc9ca8a595815f3f7a..87d111051cbc0dde56e940fa2eca1ed7ca732426 100644 --- a/verifier/test/certassertion-test.js +++ b/verifier/test/certassertion-test.js @@ -40,6 +40,7 @@ var vows = require("vows"), jwk = require("../../lib/jwcrypto/jwk"), jwt = require("../../lib/jwcrypto/jwt"), jwcert = require("../../lib/jwcrypto/jwcert"), + vep = require("../../lib/jwcrypto/vep"), events = require("events"); vows.describe('certassertion').addBatch({ @@ -51,13 +52,14 @@ vows.describe('certassertion').addBatch({ var cert = new jwcert.JWCert("fakeroot.com", new Date(), user_kp.publicKey, {email:"user@fakeroot.com"}).sign(root_kp.secretKey); var assertion = new jwt.JWT(null, new Date(), "rp.com").sign(user_kp.secretKey); - var cb = this.callback; + var self = this; + var bundle = vep.bundleCertsAndAssertion([cert],assertion); // verify it certassertion.verify( - [cert], assertion, "rp.com", + bundle, "rp.com", function(email, audience, expires) { - cb({email:email, audience: audience, expires:expires}); + self.callback({email:email, audience: audience, expires:expires}); }, function(msg) {}, function(issuer, next) {