diff options
| author | Matthew Miller <matthew@millerti.me> | 2020-07-02 21:01:00 -0700 |
|---|---|---|
| committer | Matthew Miller <matthew@millerti.me> | 2020-07-02 21:01:13 -0700 |
| commit | 6b69093a168523709bc379e7836fbbbfde9570ca (patch) | |
| tree | 9bd392326961b563af2949141342e33222d843ee | |
| parent | 11be7353ebcc3f9e6181f2d98473ec69d6b62a18 (diff) | |
Validate certificate path after downloading TOC
| -rw-r--r-- | packages/server/src/helpers/constants.ts | 4 | ||||
| -rw-r--r-- | packages/server/src/metadata/metadataService.ts | 20 |
2 files changed, 21 insertions, 3 deletions
diff --git a/packages/server/src/helpers/constants.ts b/packages/server/src/helpers/constants.ts index 02075b5..e4fbd69 100644 --- a/packages/server/src/helpers/constants.ts +++ b/packages/server/src/helpers/constants.ts @@ -2,7 +2,7 @@ import dotenv from 'dotenv'; dotenv.config(); -const { ENABLE_MDS, MDS_API_TOKEN, MDS_TOC_URL } = process.env; +const { ENABLE_MDS, MDS_API_TOKEN, MDS_TOC_URL, MDS_ROOT_CERT_URL } = process.env; /** * Supported environment variables: @@ -11,9 +11,11 @@ const { ENABLE_MDS, MDS_API_TOKEN, MDS_TOC_URL } = process.env; * @prop `MDS_API_TOKEN`: FIDO Metadata Service API token (see https://fidoalliance.org/metadata/) * @prop `MDS_TOC_URL`: Alternative URL to the FIDO Metadata Service TOC endpoint (defaults to * https://mds2.fidoalliance.org/) + * @prop `MDS_ROOT_CERT_URL`: URL to root certificate for completing certificate chains */ export const ENV_VARS = { ENABLE_MDS: ENABLE_MDS === 'true' ? true : false, MDS_API_TOKEN: MDS_API_TOKEN || '', MDS_TOC_URL: MDS_TOC_URL || 'https://mds2.fidoalliance.org/', + MDS_ROOT_CERT_URL: MDS_ROOT_CERT_URL || 'https://mds.fidoalliance.org/Root.cer', }; diff --git a/packages/server/src/metadata/metadataService.ts b/packages/server/src/metadata/metadataService.ts index 4eee0a8..0b9d555 100644 --- a/packages/server/src/metadata/metadataService.ts +++ b/packages/server/src/metadata/metadataService.ts @@ -3,10 +3,12 @@ import fetch from 'node-fetch'; import { ENV_VARS } from '../helpers/constants'; import toHash from '../helpers/toHash'; +import validateCertificatePath from '../helpers/validateCertificatePath'; +import convertASN1toPEM from '../helpers/convertASN1toPEM'; import parseJWT from './parseJWT'; -const { ENABLE_MDS, MDS_TOC_URL, MDS_API_TOKEN } = ENV_VARS; +const { ENABLE_MDS, MDS_TOC_URL, MDS_API_TOKEN, MDS_ROOT_CERT_URL } = ENV_VARS; type CachedAAGUID = { url: string; @@ -111,7 +113,21 @@ class MetadataService { return; } - // Convert the nextUpdate property into a Date so we can detemrine when to redownload + // Download FIDO the root certificate and append it to the TOC certs + const respFIDORootCert = await fetch(MDS_ROOT_CERT_URL); + const rootCert = await respFIDORootCert.text(); + const fullCertPath = header.x5c.map(convertASN1toPEM).concat(rootCert); + + try { + // Validate the certificate chain + validateCertificatePath(fullCertPath); + } catch (err) { + console.error(err); + // From FIDO MDS docs: "The FIDO Server SHOULD ignore the file if the signature is invalid." + return; + } + + // Convert the nextUpdate property into a Date so we can determine when to redownload const [year, month, day] = payload.nextUpdate.split('-'); this.nextUpdate = new Date( parseInt(year, 10), |