fix(deps): Bump pkijs from 3.0.7 to 3.0.14 (#543)

Bumps [pkijs](https://github.com/PeculiarVentures/PKI.js) from 3.0.7 to 3.0.14. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/PeculiarVentures/PKI.js/releases">pkijs's releases</a>.</em></p> <blockquote> <h2>v3.0.8</h2> <p>Fixes:</p> <ul> <li>Align SignedData verification result with v2</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/PeculiarVentures/PKI.js/commit/469c403d102ee5149e8eb9ad19754c9696ed7c55"><code>469c403</code></a> 3.0.14</li> <li><a href="https://github.com/PeculiarVentures/PKI.js/commit/3beb2e26365415451b99415dfc6e3644b7f77ee9"><code>3beb2e2</code></a> chore: Update links for examples</li> <li><a href="https://github.com/PeculiarVentures/PKI.js/commit/90a4f439898637769736e0f639b3b9d1cbe02f8d"><code>90a4f43</code></a> 3.0.13</li> <li><a href="https://github.com/PeculiarVentures/PKI.js/commit/449748e6db0ca93aeb4149e0d524184a75f5971e"><code>449748e</code></a> fix: support disableSplit for EnvelopedData</li> <li><a href="https://github.com/PeculiarVentures/PKI.js/commit/48df27671bb5586e0799a78468d37788c28266f3"><code>48df276</code></a> 3.0.12</li> <li><a href="https://github.com/PeculiarVentures/PKI.js/commit/7e33c0ca2f32e375d6b92a528a878cadca1b5517"><code>7e33c0c</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/PeculiarVentures/PKI.js/issues/374">#374</a> from PeculiarVentures/cms-enveloped</li> <li><a href="https://github.com/PeculiarVentures/PKI.js/commit/89bd358bee688352ea7325c13b8b6862e3e22f43"><code>89bd358</code></a> fix: support CryptoKey for EnvelopedData</li> <li><a href="https://github.com/PeculiarVentures/PKI.js/commit/72d175c9edbc8e00c550dee610a8dac6204f4383"><code>72d175c</code></a> 3.0.11</li> <li><a href="https://github.com/PeculiarVentures/PKI.js/commit/550e422e9911066de0a5764c9cc69dea22bdcdf0"><code>550e422</code></a> fix: issue <a href="https://github-redirect.dependabot.com/PeculiarVentures/PKI.js/issues/373">#373</a></li> <li><a href="https://github.com/PeculiarVentures/PKI.js/commit/b394d8e8e70b0aae3f5e380d70007d3d116f902f"><code>b394d8e</code></a> 3.0.10</li> <li>Additional commits viewable in <a href="https://github.com/PeculiarVentures/PKI.js/compare/v3.0.7...v3.0.14">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=pkijs&package-manager=npm_and_yarn&previous-version=3.0.7&new-version=3.0.14)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>> **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days.
relaycorp · May 3, 2023 · 2a40700 · 2a40700
1 parent 4f58bf4
commit 2a40700
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 40 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -44,7 +44,7 @@
     "dohdec": "^3.1.0",
     "is-valid-domain": "^0.1.6",
     "moment": "^2.29.4",
-    "pkijs": "^3.0.7",
+    "pkijs": "^3.0.14",
     "smart-buffer": "^4.2.0",
     "uuid4": "^2.0.3",
     "verror": "^1.10.1",

diff --git a/src/lib/crypto_wrappers/x509/Certificate.ts b/src/lib/crypto_wrappers/x509/Certificate.ts
@@ -12,11 +12,6 @@ import { assertPkiType, assertUndefined } from '../cms/_utils';
 
 const MAX_PATH_LENGTH_CONSTRAINT = 2; // Per Relaynet PKI
 
-type FindIssuerSignature = (
-  cert: pkijs.Certificate,
-  engine: pkijs.CertificateChainValidationEngine,
-) => Promise<readonly pkijs.Certificate[]>;
-
 /**
  * X.509 Certificate.
  *
@@ -233,23 +228,6 @@ export default class Certificate {
     intermediateCaCertificates: readonly Certificate[],
     trustedCertificates: readonly Certificate[],
   ): Promise<readonly Certificate[]> {
-    async function findIssuer(
-      pkijsCertificate: pkijs.Certificate,
-      validationEngine: { readonly defaultFindIssuer: FindIssuerSignature },
-    ): Promise<readonly pkijs.Certificate[]> {
-      const issuers = await validationEngine.defaultFindIssuer(
-        pkijsCertificate,
-        validationEngine as any,
-      );
-      if (issuers.length !== 0) {
-        return issuers;
-      }
-      // If the certificate is actually an intermediate certificate but it's passed as a trusted
-      // certificate, accepted it.
-      const certificate = new Certificate(pkijsCertificate);
-      return isCertificateInArray(certificate, trustedCertificates) ? [pkijsCertificate] : [];
-    }
-
     // Ignore any intermediate certificate that's also the issuer of a trusted certificate.
     // The main reason for doing this isn't performance, but the fact that PKI.js would fail to
     // compute the path.
@@ -264,7 +242,6 @@ export default class Certificate {
 
     const chainValidator = new pkijs.CertificateChainValidationEngine({
       certs: [...intermediateCertsSanitized.map((c) => c.pkijsCertificate), this.pkijsCertificate],
-      findIssuer: findIssuer as unknown as pkijs.FindIssuerCallback, // Use unknown to fix TS error, because findIssuer returns `readonly Certificate[]` instead of `Certificate[]`
       trustedCerts: trustedCertificates.map((c) => c.pkijsCertificate),
     });
     const verification = await chainValidator.verify({ passedWhenNotRevValues: false });
@@ -349,12 +326,3 @@ function cloneAsn1jsValue<T extends BaseBlock>(value: T): T {
   const valueSerialized = value.toBER(false);
   return derDeserialize(valueSerialized) as T;
 }
-
-function isCertificateInArray(certificate: Certificate, array: readonly Certificate[]): boolean {
-  for (const certInArray of array) {
-    if (certInArray.isEqual(certificate)) {
-      return true;
-    }
-  }
-  return false;
-}