Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
verify(pdfBuffer) {
if (!(pdfBuffer instanceof Buffer)) {
throw new SignPdfError(
'PDF expected as Buffer.',
SignPdfError.TYPE_INPUT,
);
}
try {
const {signature, signedData} = extractSignature(pdfBuffer);
const p7Asn1 = forge.asn1.fromDer(signature);
const message = forge.pkcs7.messageFromAsn1(p7Asn1);
const sig = message.rawCapture.signature;
// TODO: when node-forge implemets pkcs7.verify method,
// we should use message.verify to verify the whole signature
// instead of validating authenticatedAttributes only
const attrs = message.rawCapture.authenticatedAttributes;
const hashAlgorithmOid = forge.asn1.derToOid(message.rawCapture.digestAlgorithm);
const hashAlgorithm = forge.pki.oids[hashAlgorithmOid].toUpperCase();
const set = forge.asn1.create(
forge.asn1.Class.UNIVERSAL,
forge.asn1.Type.SET,
true,
attrs,
);
const buf = Buffer.from(forge.asn1.toDer(set).data, 'binary');
const cert = forge.pki.certificateToPem(message.certificates[0]);
const validAuthenticatedAttributes = crypto.createVerify(hashAlgorithm)
readData (cmsData, callback) {
if (!Buffer.isBuffer(cmsData)) {
return callback(new Error('CMS data is required'))
}
const self = this
let cms
try {
const buf = forge.util.createBuffer(cmsData.toString('binary'));
const obj = forge.asn1.fromDer(buf)
cms = forge.pkcs7.messageFromAsn1(obj)
} catch (err) {
return callback(new Error('Invalid CMS: ' + err.message))
}
// Find a recipient whose key we hold. We only deal with recipient certs
// issued by ipfs (O=ipfs).
const recipients = cms.recipients
.filter(r => r.issuer.find(a => a.shortName === 'O' && a.value === 'ipfs'))
.filter(r => r.issuer.find(a => a.shortName === 'CN'))
.map(r => {
return {
recipient: r,
keyId: r.issuer.find(a => a.shortName === 'CN').value
}
})
async.detect(
// Set the issuer to the parent key
clientcert.setIssuer(attrs);
clientcert.publicKey = clientkeys.publicKey;
// Sign client cert with root cert
clientcert.sign(keyPair.privateKey);
pem.clientprivate = forge.pki.privateKeyToPem(clientkeys.privateKey);
pem.clientpublic = forge.pki.publicKeyToPem(clientkeys.publicKey);
pem.clientcert = forge.pki.certificateToPem(clientcert);
if (options.pkcs7) {
var clientp7 = forge.pkcs7.createSignedData();
clientp7.addCertificate(clientcert);
pem.clientpkcs7 = forge.pkcs7.messageToPem(clientp7);
}
}
var caStore = forge.pki.createCaStore();
caStore.addCertificate(cert);
try {
forge.pki.verifyCertificateChain(caStore, [cert],
function (vfd, depth, chain) {
if (vfd !== true) {
throw new Error('Certificate could not be verified.');
}
return true;
});
}
catch(ex) {
export function signManifest(
certificate: forge.pki.Certificate,
key: forge.pki.PrivateKey,
manifest: string,
): Buffer {
// create PKCS#7 signed data
const p7 = forge.pkcs7.createSignedData();
p7.content = manifest;
p7.addCertificate(certificate);
p7.addCertificate(APPLE_CA_CERTIFICATE);
p7.addSigner({
key: forge.pki.privateKeyToPem(key),
certificate,
digestAlgorithm: forge.pki.oids.sha1,
authenticatedAttributes: [
{
type: forge.pki.oids.contentType,
value: forge.pki.oids.data,
},
{
type: forge.pki.oids.messageDigest,
// value will be auto-populated at signing time
},
export function signManifest(
certificate: forge.pki.Certificate,
key: forge.pki.PrivateKey,
manifest: string,
): Buffer {
// create PKCS#7 signed data
const p7 = forge.pkcs7.createSignedData();
p7.content = manifest;
p7.addCertificate(certificate);
p7.addCertificate(APPLE_CA_CERTIFICATE);
p7.addSigner({
key: forge.pki.privateKeyToPem(key),
certificate,
digestAlgorithm: forge.pki.oids.sha1,
authenticatedAttributes: [
{
type: forge.pki.oids.contentType,
value: forge.pki.oids.data,
},
{
type: forge.pki.oids.messageDigest,
// value will be auto-populated at signing time
},
clientcert.setSubject(clientAttrs);
// Set the issuer to the parent key
clientcert.setIssuer(attrs);
clientcert.publicKey = clientkeys.publicKey;
// Sign client cert with root cert
clientcert.sign(keyPair.privateKey);
pem.clientprivate = forge.pki.privateKeyToPem(clientkeys.privateKey);
pem.clientpublic = forge.pki.publicKeyToPem(clientkeys.publicKey);
pem.clientcert = forge.pki.certificateToPem(clientcert);
if (options.pkcs7) {
var clientp7 = forge.pkcs7.createSignedData();
clientp7.addCertificate(clientcert);
pem.clientpkcs7 = forge.pkcs7.messageToPem(clientp7);
}
}
var caStore = forge.pki.createCaStore();
caStore.addCertificate(cert);
try {
forge.pki.verifyCertificateChain(caStore, [cert],
function (vfd, depth, chain) {
if (vfd !== true) {
throw new Error('Certificate could not be verified.');
}
return true;
});
.digest()
.toHex()
.match(/.{2}/g)
.join(':');
var pem = {
private: forge.pki.privateKeyToPem(keyPair.privateKey),
public: forge.pki.publicKeyToPem(keyPair.publicKey),
cert: forge.pki.certificateToPem(cert),
fingerprint: fingerprint,
};
if (options && options.pkcs7) {
var p7 = forge.pkcs7.createSignedData();
p7.addCertificate(cert);
pem.pkcs7 = forge.pkcs7.messageToPem(p7);
}
if (options && options.clientCertificate) {
var clientkeys = forge.pki.rsa.generateKeyPair(1024);
var clientcert = forge.pki.createCertificate();
clientcert.serialNumber = toPositiveHex(forge.util.bytesToHex(forge.random.getBytesSync(9)));
clientcert.validity.notBefore = new Date();
clientcert.validity.notAfter = new Date();
clientcert.validity.notAfter.setFullYear(clientcert.validity.notBefore.getFullYear() + 1);
var clientAttrs = JSON.parse(JSON.stringify(attrs));
for(var i = 0; i < clientAttrs.length; i++) {
if(clientAttrs[i].name === 'commonName') {
if( options.clientCertificateCN )
clientAttrs[i] = { name: 'commonName', value: options.clientCertificateCN };
.create()
.update(forge.asn1.toDer(forge.pki.certificateToAsn1(cert)).getBytes())
.digest()
.toHex()
.match(/.{2}/g)
.join(':');
var pem = {
private: forge.pki.privateKeyToPem(keyPair.privateKey),
public: forge.pki.publicKeyToPem(keyPair.publicKey),
cert: forge.pki.certificateToPem(cert),
fingerprint: fingerprint,
};
if (options && options.pkcs7) {
var p7 = forge.pkcs7.createSignedData();
p7.addCertificate(cert);
pem.pkcs7 = forge.pkcs7.messageToPem(p7);
}
if (options && options.clientCertificate) {
var clientkeys = forge.pki.rsa.generateKeyPair(1024);
var clientcert = forge.pki.createCertificate();
clientcert.serialNumber = toPositiveHex(forge.util.bytesToHex(forge.random.getBytesSync(9)));
clientcert.validity.notBefore = new Date();
clientcert.validity.notAfter = new Date();
clientcert.validity.notAfter.setFullYear(clientcert.validity.notBefore.getFullYear() + 1);
var clientAttrs = JSON.parse(JSON.stringify(attrs));
for(var i = 0; i < clientAttrs.length; i++) {
if(clientAttrs[i].name === 'commonName') {
private _sign(manifest: schema.Manifest): Buffer {
const signature = forge.pkcs7.createSignedData();
signature.content = forge.util.createBuffer(JSON.stringify(manifest), "utf8");
signature.addCertificate(this.Certificates.wwdr);
signature.addCertificate(this.Certificates.signerCert);
/**
* authenticatedAttributes belong to PKCS#9 standard.
* It requires at least 2 values:
* • content-type (which is a PKCS#7 oid) and
* • message-digest oid.
*
* Wallet requires a signingTime.
*/
signature.addSigner({
const getMessageFromSignature = (signature) => {
const p7Asn1 = forge.asn1.fromDer(signature);
return forge.pkcs7.messageFromAsn1(p7Asn1);
};