Improve x509 certificate parsing.

Author: dlongley

lib/authorizationRequest.js

@@ -56,7 +56,9 @@ export async function get({
       fetched = true;
       ({
         payload: authorizationRequest, response, jwt
-      } = await _fetch({requestUrl, getVerificationKey, agent}));
+      } = await _fetch({
+        requestUrl, getTrustedCertificates, getVerificationKey, agent
+      }));
     }
 
     // ensure authorization request is valid
@@ -205,13 +207,26 @@ async function _checkClientIdSchemeRequirements({
     if(!certificatePublicKey) {
       throw createNamedError({
         message:
-          'Client ID schemes starting with "x509_" must use the "x5c" header ' +
+          'No "x5c" header with an acceptable public key found; client ID ' +
+          'schemes starting with "x509_" must use the "x5c" header ' +
           'to provide an X.509 certificate with the public key for verifying ' +
           'the request.',
         name: 'DataError'
       });
     }
 
+    // ensure trusted certs can be retrieved
+    if(typeof getTrustedCertificates !== 'function') {
+      throw createNamedError({
+        message:
+          'No "getTrustedCertificates" function provided; client ID schemes ' +
+          'starting with "x509_" require such a function to be provided ' +
+          'that will return the certificates that are to be trusted ' +
+          'when verifying X.509 certificate chains.',
+        name: 'DataError'
+      });
+    }
+
     // get trusted certificates for `x5c` and verify chain
     const {x5c} = protectedHeader;
     const chain = parseCertificateChain({x5c});
@@ -230,7 +245,7 @@ async function _checkClientIdSchemeRequirements({
       });
     }
 
-    let {clientId} = authorizationRequest;
+    let {client_id: clientId} = authorizationRequest;
     clientId = clientId.startsWith(`${clientIdScheme}:`) ?
       clientId.slice(clientIdScheme.length + 2) : clientId;
 
@@ -271,7 +286,7 @@ async function _checkClientIdSchemeRequirements({
     // DID expressed in client ID; this is checked by default when a proper
     // DID resolver is used in `getVerificationKey` but this check provides
     // a partial additional sanity check
-    let {clientId} = authorizationRequest;
+    let {client_id: clientId} = authorizationRequest;
     clientId = clientId.startsWith('decentralized_identifier:did:') ?
       clientId.slice('decentralized_identifier:'.length + 1) : clientId;
     if(!protectedHeader?.kid?.startsWith(clientId + '#')) {
@@ -322,6 +337,14 @@ function _get(sp, name) {
   return value === null ? undefined : value;
 }
 
+function _importPublicKeyFromX5c({x5c}) {
+  if(x5c?.[0]) {
+    const pem =
+      `-----BEGIN CERTIFICATE-----\n${x5c[0]}\n-----END CERTIFICATE-----`;
+    return importX509(pem, 'ES256');
+  }
+}
+
 async function _parseJwt({
   jwt, getTrustedCertificates, getVerificationKey, signatureRequired
 }) {
@@ -347,7 +370,7 @@ async function _parseJwt({
     // parse any `x5c` to get certificate public key and include that in
     // `getVerificationKey` params
     const {x5c} = protectedHeader;
-    certificatePublicKey = x5c ? await importX509(x5c, 'ES256') : undefined;
+    certificatePublicKey = await _importPublicKeyFromX5c({x5c});
     if(getVerificationKey) {
       return getVerificationKey({
         protectedHeader, certificatePublicKey,

lib/x509.js

@@ -12,18 +12,12 @@ export function fromPemOrBase64(str) {
   const tag = 'CERTIFICATE';
   const pattern = new RegExp(
     `-{5}BEGIN ${tag}-{5}([a-zA-Z0-9=+\\/\\n\\r]+)-{5}END ${tag}-{5}`, 'g');
-
-  const certificates = [];
-  // FIXME: use regex split instead
-  // FIXME: ensure if there are no matches to just run base64Decode()
-  let matches = pattern.exec(str);
-  while(matches) {
-    const base64 = matches[1].replace(/\r/g, '').replace(/\n/g, '');
-    certificates.push(Certificate.fromBER(base64Decode(base64)));
-    matches = pattern.exec(str);
+  const matches = pattern.exec(str);
+  if(!matches) {
+    throw new Error('No PEM or Base64-formatted certificate found.');
   }
-
-  return certificates;
+  const b64 = matches[1].replace(/\r/g, '').replace(/\n/g, '');
+  return _fromBase64(b64);
 }
 
 export function hasDomainSubjectAltName({certificate, name} = {}) {
@@ -38,8 +32,6 @@ export function hasDomainSubjectAltName({certificate, name} = {}) {
       }
     }
   }
-  // FIXME: remove logging
-  console.log('subjectAltNames', subjectAltNames);
   return subjectAltNames.has(name);
 }
 
@@ -63,3 +55,7 @@ export async function verifyCertificateChain({
   const verifyResult = await chainEngine.verify();
   return verifyResult;
 }
+
+function _fromBase64(str) {
+  return Certificate.fromBER(base64Decode(str));
+}