UNPKG

islandis-login

Version:

Island.is Identification and Authentication Services (Login) for Node.js

github.com/pmm1/islandis-login

pmm1/islandis-login

125 lines (99 loc) 3.46 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
const { xpath } = require("xml-crypto"); const { DOMParser } = require("@xmldom/xmldom"); const { SignedXml } = require("xml-crypto"); const { Certificate } = require("@fidm/x509"); const { readFileSync } = require("fs"); /** * * A key info provider implementation * */ function FileKeyInfo(key) { this.key = key; this.getKeyInfo = function(key, prefix) { prefix = prefix || ""; prefix = prefix ? prefix + ":" : prefix; return `<${prefix}X509Data></${prefix}X509Data>`; }; this.getKey = function() { return this.key; }; } function isCertificateDataValid(cert) { const { serialName } = cert.subject; const { organizationName } = cert.issuer; const { validFrom, validTo } = cert; if (serialName !== "6503760649" || organizationName !== "Audkenni hf.") { return false; } const timestamp = Date.now(); if ( timestamp < new Date(validFrom).getTime() || timestamp > new Date(validTo).getTime() ) { return false; } return true; } function checkSignature(doc, pem, xml) { const signature = xpath( doc, "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']" )[0]; const sig = new SignedXml(); sig.keyInfoProvider = new FileKeyInfo(pem); sig.loadSignature(signature); const isValid = sig.checkSignature(xml); return isValid; } function isCertificateValid(certificate, certPath) { // Reference: https://www.audkenni.is/adstod/skilriki-kortum/skilrikjakedjur/ const FullgiltAudkenni = Certificate.fromPEM(readFileSync(certPath)); // we only need to verify the authority cert because that is the cert used // to sign the message from Island.is if ( FullgiltAudkenni.verifySubjectKeyIdentifier() && certificate.verifySubjectKeyIdentifier() && FullgiltAudkenni.checkSignature(certificate) === null && certificate.isIssuer(FullgiltAudkenni) ) { return true; } return false; } function certToPEM(cert) { return `-----BEGIN CERTIFICATE-----\n${cert}\n-----END CERTIFICATE-----`; } /* Validates x509 certificate validity, checks certificate and validates digital signature of XML. */ function validate(xml, signature, certPath) { return new Promise((resolve, reject) => { const doc = new DOMParser().parseFromString(xml); // construct x509 certificate const pem = certToPEM(signature); const cert = Certificate.fromPEM(new Buffer.from(pem)); // Verify certificate data, i.e. // serialNumber & organization name is Auðkenni etc. if (!isCertificateDataValid(cert)) { return reject("XML message is not signed by Auðkenni."); } // Verify that the XML document provided by the request was signed by the // certificate provided with the request. if (!checkSignature(doc, pem, xml)) { return reject("XML signature is invalid."); } // Verify that the certificate we get from the Island.is request // is signed and issued by the certificate provided via 'certPath'. if (!isCertificateValid(cert, certPath)) { return reject( "The XML document is not signed by Þjóðskrá Íslands." ); } return resolve(); }); } module.exports = { validateCert: validate, };