Closed maganuk closed 2 years ago
maganuk
commented
2 years ago @microshine So I figured out the bug, in the sort method we are checking for all certificates being unique. Now if the self signed certificate is in the trusted certificates and you pass only the self signed certificates in the certs to be validated, the certificate is removed from the bottom of the list of the localcerts variable (as there are duplicate entries). This affects the outcome of the certificate path.
microshine
commented
2 years ago @maganuk I'm migrating JS implementation to TS and going to test and fix that issue in new version
microshine
commented
2 years ago @maganuk Here is a test with your certificates on TS version of PKIjs
context.only("issue #345", async () => {
const certs: pkijs.Certificate[] = [];
const certsPem = [
"-----BEGIN CERTIFICATE-----\nMIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAwWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cPR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdxsxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8ZutmNHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxgZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaAFHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRwOi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6WPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wlikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQzCkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BImlJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1OyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90IdshCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6ZvMldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqXnLRbwHOoq7hHwg==\n-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----\nMIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1owTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuGWCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9Ohe8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFCDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----\nMIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----\nMIIFDTCCAvWgAwIBAgIUBj6VqXM16G6BV1j/6w9Ak1j6HkQwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjAxMjMwMTAzMzEyWhcNMzAxMjI4MTAzMzEyWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOpIWB1W7TtGZ8wdxNEvtrYYJ31bwPMF6xh/3KtBrAMl9D3X86UaNoXSf8Cx/3c4vCSoaDOeficBPBRXMatIbzso95ZisG5Ke6fSHYktYsv91sVOyGQRK9hqVRB3PAeKG2ADHWUbQtUf4cSsbvy2/VyjA32p0Cl4ofJRYta2nDdYcVSxM0+8Xl+pjAPXIPZUHuyqr0qM+TT/MSKrKVgTur0KFnPX6i0xu2XXSlbkO0wgY4dVFqSo1/atD3bLLKMh7tf/8leiqkSxjmQyuwSdahSGA4YIhGY+sRmQjRFmsGdl5H/VdjuW+PxY5xdh0CXv376ly03foiROUjapAu+2ym8ZpUM52MKThBuOxH0lH1MLUdyB1FZaLTL6nWFjQbkAsyUrcEPprS4JY8LPzrUI24QY3+jiDuHGugdbtX6H+Tx+MjtCj9QwKlAUVxhmKOzZ3sRfkwmQ6qlDpS4KLwN1fkwYp8HlEx+GWwZaehzy7E0+6IHaWFyX8mIr8AcYSY5cqMxYhuOpTu1UAuCBK65ft1wwmRusxKzQ3c3BZpPTbAszVebvS4wgshFkMnuzHw3q/oRIo13I3VmqRn/zQLD/rBRlIg8m+bfUeMqhemZTki5Yb5XwZFg7EEJdo5w2Z3j7/hFrPFLrCOibpRUjzWkIptvbMSCQ4jeoWI8t7eh8MfNLAgMBAAGjUzBRMB0GA1UdDgQWBBQxIgu25BGZ1h1Zc72g3SZEiLiSDTAfBgNVHSMEGDAWgBQxIgu25BGZ1h1Zc72g3SZEiLiSDTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBgZqlOx99QKhC2GU2+EyN9WEf8ZT8lVnuhKzf6/PRaju5MLaRElZbBEaSGffT3zMNADGvExw8gPQZoNCeP1gV/3zyPTC3+jvuESKkFNa/6toKLQ2I+mZ7ATDLvlCtW7GVLGA9R+caIXy2NmkUoCIQsFtVgyiQxQ1CQSke8+13hTZuCLdFkXGQxcAEUogqvZ4W9+p6wuBI0Fl21WqLM5U6PuuQfn+JciuaSesk12wkiWkk0YfV3JQMvDOfoLyxfc9O+MWnJT42CU0GFvl8sf+458prB1I/MYhmL/fGcKHCwQn61ThSHTklB4aehz5Nd9BVrmPkEhJhbqKEwFCVj5P/bLNLqQvDqDigwNfx/9n/Hu6jWNvjd4DmmwtxeAa5rveXUIkwLvbtojeaz61KSUycKBN+gD9U5ubLjGWGxf+K+ruuAeowtg+6xBN8I2gpWQWb/43YbhMIfWQSsb/CaCmVfyMzThoT+v0Uco1aCt8OMVtxyWDe3uNQFnsSki9blA/5FW3lgXigfQuYbNkdZsNBy9C6gjKsJ7fVPP3m15Wd0VgyK/rUTwuClZZXzFkwm66Up/Lr12mlmifUyeHiO3INSlu35tHbmk6D71DOm5T8NGkg7gTQrZO8b9xD5q8kMljr7cJtu/2N1SjLPykuJkFurR0q9bk8Ykk8b44O4cnCvQg\n==-----END CERTIFICATE-----",
];
before(() => {
for (const certPem of certsPem) {
const certRaw = utils.fromPEM(certPem);
const certAsn = asn1js.fromBER(certRaw);
const cert = new pkijs.Certificate({ schema: certAsn.result });
certs.push(cert);
}
});
it("checkDate is undefined", async () => {
const chain = new pkijs.CertificateChainValidationEngine({
certs,
trustedCerts: certs,
checkDate: undefined,
});
const chainResult = await chain.verify();
assert.strictEqual(chainResult.result, true);
});
it("checkDate is default", async () => {
const chain = new pkijs.CertificateChainValidationEngine({
certs,
trustedCerts: certs,
});
const chainResult = await chain.verify();
assert.strictEqual(chainResult.result, true);
});
it("checkDate is greater that notAfter", async () => {
const chain = new pkijs.CertificateChainValidationEngine({
certs,
trustedCerts: certs,
checkDate: new Date("2040-01-01"),
});
const chainResult = await chain.verify();
assert.strictEqual(chainResult.result, false);
});
it("checkDate is less that notBefore", async () => {
const chain = new pkijs.CertificateChainValidationEngine({
certs,
trustedCerts: certs,
checkDate: new Date("2010-01-01"),
});
const chainResult = await chain.verify();
assert.strictEqual(chainResult.result, false);
});
it("checkDate is correct", async () => {
const chain = new pkijs.CertificateChainValidationEngine({
certs,
trustedCerts: certs,
checkDate: new Date("2025-01-01"),
});
const chainResult = await chain.verify();
assert.strictEqual(chainResult.result, true);
});
});> pkijs@2.2.2 test
> mocha
issue #345
✔ checkDate is undefined
✔ checkDate is default
✔ checkDate is greater that notAfter
✔ checkDate is less that notBefore
✔ checkDate is correct
5 passing (55ms)Looks like the problem with chakeDate is fixed. This fix will be published in major upgrade v3.x
maganuk
commented
2 years ago @microshine Thanks very much looks great!!! Where can I see the changed to the code base? Could you please refer me to the commit?
microshine
commented
2 years ago I've published beta version of pkijs. Please try it
npm i pkijs@beta
# or
npm i pkijs@3.0.1-2Thanks very much for the fix. I'll give it a go
Hi,
I have these 4 certificates:
and I am trying to validate just the last certificate by passing it in trusted certificates. When I set the checkDate to undefined, the validation fails as one of the other (not in certificate chain) certificates has expired.
Shouldn't the basicCheck method on the Engine be ignoring the certificate which is not in its path. Also the checkDate is set to a new Date() by default which will anyways fail the validation as the notBefore date is after the new Date()