Newer
Older
import * as forge from "@vereign/node-forge";
import {
extractCertificatesDetails,
getClientCertificate,
isCertsExpired,
sortCertificateChain,
} from "./certUtils";
import { AppError } from "./errors";
import { getMessageFromSignature } from "./signatureUtils";
export const verify = (signature, signatureMeta) => {
const message = getMessageFromSignature(signature);
const {
certificates,
rawCapture: {
signature: sig,
authenticatedAttributes: attrs,
digestAlgorithm,
},
} = message;
const hashAlgorithmOid = forge.asn1.derToOid(digestAlgorithm);
const hashAlgorithm = forge.pki.oids[hashAlgorithmOid].toLowerCase();
const set = forge.asn1.create(
forge.asn1.Class.UNIVERSAL,
forge.asn1.Type.SET,
true,
attrs
);
const clientCertificate = getClientCertificate(certificates);
const digest = forge.md[hashAlgorithm]
.create()
.update(forge.asn1.toDer(set).data)
.digest()
.getBytes();
//FIXME: verification for some of the pdf documents is failing
// Encryption block is invalid.
// Check if the code is wrong or the PDF is not valid
// try {
// const validAuthenticatedAttributes = clientCertificate["publicKey"].verify(
// digest,
// sig
// );
// } catch (error) {
// console.log(error);
// }
// if (!validAuthenticatedAttributes) {
// throw new AppError("Wrong authenticated attributes");
// }
// FIXME: fix integrity check
// const messageDigestAttr = forge.pki.oids.messageDigest;
// const fullAttrDigest = attrs.find(
// (attr) => forge.asn1.derToOid(attr.value[0].value) === messageDigestAttr
// );
// const attrDigest = fullAttrDigest.value[1].value[0].value;
// const dataDigest = forge.md[hashAlgorithm]
// .create()
// .update(signedData.toString("latin1"))
// .digest()
// .getBytes();
// const integrity = dataDigest === attrDigest;
const sortedCerts = sortCertificateChain(certificates);
const parsedCerts = extractCertificatesDetails(sortedCerts);
//FIXME: fix authenticity check after you have the root cert
// const authenticity = authenticateSignature(sortedCerts);
const isExpired = isCertsExpired(sortedCerts);
return {
// verified: integrity && authenticity && !expired,
// authenticity,
// integrity,
isExpired,
meta: { certs: parsedCerts, ...signatureMeta },
};
};