verify.js

"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    var desc = Object.getOwnPropertyDescriptor(m, k);
    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
      desc = { enumerable: true, get: function() { return m[k]; } };
    }
    Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
    o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
    if (mod && mod.__esModule) return mod;
    var result = {};
    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
    __setModuleDefault(result, mod);
    return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.verify = void 0;
const forge = __importStar(require("@vereign/node-forge"));
const certUtils_1 = require("./certUtils");
const errors_1 = require("./errors");
const signatureUtils_1 = require("./signatureUtils");
const verify = (signature, signatureMeta) => {
    const message = (0, signatureUtils_1.getMessageFromSignature)(signature);
    const { certificates, rawCapture: { signature: sig, authenticatedAttributes: attrs, digestAlgorithm, }, } = message;
    const hashAlgorithmOid = forge.asn1.derToOid(digestAlgorithm);
    const hashAlgorithm = forge.pki.oids[hashAlgorithmOid].toLowerCase();
    const set = forge.asn1.create(forge.asn1.Class.UNIVERSAL, forge.asn1.Type.SET, true, attrs);
    const clientCertificate = (0, certUtils_1.getClientCertificate)(certificates);
    const digest = forge.md[hashAlgorithm]
        .create()
        .update(forge.asn1.toDer(set).data)
        .digest()
        .getBytes();
    const validAuthenticatedAttributes = clientCertificate["publicKey"].verify(digest, sig);
    if (!validAuthenticatedAttributes) {
        throw new errors_1.AppError("Wrong authenticated attributes");
    }
    // WIP: fix integrity check
    //   const messageDigestAttr = forge.pki.oids.messageDigest;
    //   const fullAttrDigest = attrs.find(
    //     (attr) => forge.asn1.derToOid(attr.value[0].value) === messageDigestAttr
    //   );
    //   const attrDigest = fullAttrDigest.value[1].value[0].value;
    //   const dataDigest = forge.md[hashAlgorithm]
    //     .create()
    //     .update(signedData.toString("latin1"))
    //     .digest()
    // .getBytes();
    //   const integrity = dataDigest === attrDigest;
    const sortedCerts = (0, certUtils_1.sortCertificateChain)(certificates);
    const parsedCerts = (0, certUtils_1.extractCertificatesDetails)(sortedCerts);
    //WIP: fix authenticity check after you have the root cert
    //   const authenticity = authenticateSignature(sortedCerts);
    const isExpired = (0, certUtils_1.isCertsExpired)(sortedCerts);
    return {
        // verified: integrity && authenticity && !expired,
        // authenticity,
        // integrity,
        isExpired,
        meta: Object.assign({ certs: parsedCerts }, signatureMeta),
    };
};
exports.verify = verify;