PeculiarVentures/x509

signature verification failing for x509 certificate with ECDSA signature algorithm

rahuledjx opened this issue · 2 comments

rahuledjx commented

signature verification is failing for x509 certificate.

Current Behaviour:- isSame is coming false
Expected Behaviour:- isSame should be true

code

     import { writeFileSync, readFileSync } from 'fs';
     import { join } from 'path';
     import * as x509 from '@peculiar/x509';
     import { Crypto } from '@peculiar/webcrypto';
     
     const crypto = new Crypto();
     x509.cryptoProvider.set(crypto);
     
     const chain = new x509.X509Certificate(
      readFileSync(join('chain.pem')).toString()
    );
    const cert = new x509.X509Certificate(
      readFileSync(join('cert.pem')).toString()
    );
    const publicKey = await chain.publicKey.export();

    const isSame = await crypt.subtle.verify(
      cert.signatureAlgorithm,
      publicKey,
      cert.signature, // BufferSource
      cert.tbs
    );

cert.pem:

-----BEGIN CERTIFICATE-----
MIICgzCCAimgAwIBAgIUU3QVClDwfllZDosbQuijZEqeqN0wCgYIKoZIzj0EAwIw
fTELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQH
EwdSYWxlaWdoMQ0wCwYDVQQKEwRFREpYMRUwEwYDVQQLEwxFREpYIFJvb3QgQ0Ex
HTAbBgNVBAMTFEVESlggSW50ZXJtZWRpYXRlIENBMB4XDTIxMDEwNzA3MTYwMFoX
DTIyMDEwNzA3MTYwMFowaTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5DMRAwDgYD
VQQHEwdSZWxlaWdoMQ0wCwYDVQQKEwRFREpYMRQwEgYDVQQLEwtFbmdpbmVlcmlu
ZzEWMBQGA1UEAxMNYXBpLmVkangudGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABKZwl6VQ9VZHpelF+ZhBkKY3N7f7qXvvIwDBIDpV18+iYs1r01Qoo2TwJh3/
j/n87sqtm4nfuOBvjL8M/RUdDRWjgZowgZcwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQW
BBQjjloUw1goFcY26GEIxnJlckH+JTAfBgNVHSMEGDAWgBSQcYOQauj7nFQP4ZWK
p59JtGVZajAYBgNVHREEETAPgg1hcGkuZWRqeC50ZXN0MAoGCCqGSM49BAMCA0gA
MEUCIFYIeb08ZaNS6iFPrOdhCAZW10XF4C2oT9GwOMJ8tKp8AiEA25uqFuewgI0S
uLTWX6MGa1pd9z0p2Ks+8/+1pY9PUGc=
-----END CERTIFICATE-----

chain.pem

-----BEGIN CERTIFICATE-----
MIICVzCCAf2gAwIBAgIUH5dl9HNmcklznEOCTZxFIN65ugYwCgYIKoZIzj0EAwIw
dTELMAkGA1UEBhMCVVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRAwDgYDVQQH
EwdSYWxlaWdoMQ0wCwYDVQQKEwRFREpYMRUwEwYDVQQLEwxFREpYIFJvb3QgQ0Ex
FTATBgNVBAMTDEVESlggUm9vdCBDQTAeFw0yMTAxMDcwNzE2MDBaFw0yNDAxMDcw
NzE2MDBaMH0xCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQ
MA4GA1UEBxMHUmFsZWlnaDENMAsGA1UEChMERURKWDEVMBMGA1UECxMMRURKWCBS
b290IENBMR0wGwYDVQQDExRFREpYIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABCDz/PG5Nw0Q45Vafk3p3RABsaiGgv5FPFEl+jfVVxw6
o084dU+GibHJqL9JOk9t7zaXdc04oQSy0dkviV40HQGjYzBhMA4GA1UdDwEB/wQE
AwICBDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSQcYOQauj7nFQP4ZWKp59J
tGVZajAfBgNVHSMEGDAWgBQU/uYHGGZLCS8dm9tCcaSBodnGnTAKBggqhkjOPQQD
AgNIADBFAiEAgiDUpS14LEn9p/2u93L8+PsfvUHVD2WItO6cPfTT01cCIDr/RT6K
5CmGnGgmFRrn/hZyGe3CvpzKfZqMX63UeoQQ
-----END CERTIFICATE-----
microshine commented

@rahuledjx thank you for that issue. I found the problem and going to fix it shortly.

  • 👍1
microshine commented

I fixed that problem and published the new version @peculiar/x509@1.1.0

Also I extended verify method for X509Certificate. It allows to use CryptoKey, or PublicKey, or X509Certificate like a publicKey parameter.

const ok = await leaf.verify({
  signatureOnly: true,
  publicKey: ca,
});

I added your test example to mocha tests https://github.com/PeculiarVentures/x509/blob/master/test/crypto.ts#L651

  • 👍2