hashicorp · hellobontempo · Jul 19, 2023 · Jul 18, 2023 · Jul 18, 2023 · Jul 18, 2023
@@ -24,7 +24,7 @@ export const EXTENSION_OIDs = {
 };
 
 // these are allowed ext oids, but not parsed and passed to cross-signed certs
-export const IGNORED_OIDs = {
+export const OTHER_OIDs = {
   // These two extensions are controlled by the parent authority.
   authority_key_identifier: '2.5.29.35',
   authority_access_info: '1.3.6.1.5.5.7.1.1',

@@ -9,7 +9,7 @@ import { Certificate } from 'pkijs';
 import { differenceInHours, getUnixTime } from 'date-fns';
 import {
   EXTENSION_OIDs,
-  IGNORED_OIDs,
+  OTHER_OIDs,
   KEY_USAGE_BITS,
   SAN_TYPES,
   SIGNATURE_ALGORITHM_OIDs,
@@ -131,15 +131,29 @@ export async function verifyCertificates(certA, certB, leaf) {
   const parsedCertB = jsonToCertObject(certB);
   if (leaf) {
     const parsedLeaf = jsonToCertObject(leaf);
-    const chainA = await parsedLeaf.verify(parsedCertA);
-    const chainB = await parsedLeaf.verify(parsedCertB);
+    const chainA = await verifySignature(parsedCertA, parsedLeaf);
+    const chainB = await verifySignature(parsedCertB, parsedLeaf);
     // the leaf's issuer should be equal to the subject data of the intermediate certs
     const isEqualA = parsedLeaf.issuer.isEqual(parsedCertA.subject);
     const isEqualB = parsedLeaf.issuer.isEqual(parsedCertB.subject);
     return chainA && chainB && isEqualA && isEqualB;
   }
   // can be used to validate if a certificate is self-signed (i.e. a root cert), by passing it as both certA and B
-  return (await parsedCertA.verify(parsedCertB)) && parsedCertA.issuer.isEqual(parsedCertB.subject);
+  return (await verifySignature(parsedCertA, parsedCertB)) && parsedCertA.issuer.isEqual(parsedCertB.subject);
+}
+
+async function verifySignature(parent, child) {
+  try {
+    // ed25519 is an unsupported signature algorithm
+    // catch the error and instead check the AKID (authority key ID) includes the SKID (subject key ID)
+    return await child.verify(parent);
+  } catch (error) {
+    const skidExtension = parent.extensions.find((ext) => ext.extnID === OTHER_OIDs.subject_key_identifier);
+    const akidExtension = parent.extensions.find((ext) => ext.extnID === OTHER_OIDs.authority_key_identifier);
+    const skid = new Uint8Array(skidExtension.parsedValue.valueBlock.valueHex);
+    const akid = new Uint8Array(akidExtension.extnValue.valueBlock.valueHex);
+    return akid.toString().includes(skid.toString());
+  }
 }
 
 //* PARSING HELPERS
@@ -182,7 +196,7 @@ export function parseExtensions(extensions) {
   if (!extensions) return null;
   const values = {};
   const errors = [];
-  const allowedOids = Object.values({ ...EXTENSION_OIDs, ...IGNORED_OIDs });
+  const allowedOids = Object.values({ ...EXTENSION_OIDs, ...OTHER_OIDs });
   const isUnknownExtension = (ext) => !allowedOids.includes(ext.extnID);
   if (extensions.any(isUnknownExtension)) {
     const unknown = extensions.filter(isUnknownExtension).map((ext) => ext.extnID);

@@ -18,7 +18,10 @@ import {
   pssTrueCert,
   skeletonCert,
   unsupportedOids,
+  unsupportedSignatureRoot,
+  unsupportedSignatureInt,
 } from 'vault/tests/helpers/pki/values';
+import { verifyCertificates } from 'vault/utils/parse-pki-cert';
 
 module('Integration | Util | parse pki certificate', function (hooks) {
   setupTest(hooks);
@@ -227,6 +230,14 @@ module('Integration | Util | parse pki certificate', function (hooks) {
     );
   });
 
+  test('the helper verifyCertificates catches errors', async function (assert) {
+    assert.expect(2);
+    const verifiedRoot = await verifyCertificates(unsupportedSignatureRoot, unsupportedSignatureRoot);
+    const verifiedInt = await verifyCertificates(unsupportedSignatureInt, unsupportedSignatureInt);
+    assert.true(verifiedRoot, 'returns true for root certificate');
+    assert.false(verifiedInt, 'returns false for intermediate cert');
+  });
+
   test('it fails silently when passed null', async function (assert) {
     assert.expect(3);
     const parsedCert = parseCertificate(certWithoutCN);