fix: validate padding in certificates

src/middleware/device-certificate.ts

@@ -9,6 +9,7 @@ function deviceCertificateMiddleware(request: express.Request, _response: expres
 		return next();
 	}
 
+	// TODO - Replace this with https://github.com/PretendoNetwork/nintendo-file-formats
 	request.certificate = new NintendoCertificate(certificate);
 
 	return next();

src/middleware/nasc.ts

@@ -53,6 +53,7 @@ async function NASCMiddleware(request: express.Request, response: express.Respon
 		return;
 	}
 
+	// TODO - Replace this with https://github.com/PretendoNetwork/nintendo-file-formats maybe?
 	const cert = new NintendoCertificate(fcdcert);
 
 	if (!cert.valid) {

src/nintendo-certificate.ts

@@ -69,6 +69,7 @@ const SIGNATURE_SIZES = {
 	}
 } as const;
 
+// TODO - Replace this with https://github.com/PretendoNetwork/nintendo-file-formats
 class NintendoCertificate {
 	_certificate: Buffer;
 	_certificateBody: Buffer;
@@ -123,8 +124,16 @@ class NintendoCertificate {
 			const signatureTypeSizes = this._signatureTypeSizes(this.signatureType);
 
 			this._certificateBody = this._certificate.subarray(0x4 + signatureTypeSizes.SIZE + signatureTypeSizes.PADDING_SIZE);
-
 			this.signature = this._certificate.subarray(0x4, 0x4 + signatureTypeSizes.SIZE);
+
+			const padding = this._certificate.subarray(0x4 + signatureTypeSizes.SIZE, 0x4 + signatureTypeSizes.SIZE + signatureTypeSizes.PADDING_SIZE);
+
+			this.valid = padding.every(byte => byte === 0);
+
+			if (!this.valid) {
+				return;
+			}
+
 			this.issuer = this._certificate.subarray(0x80, 0xC0).toString().split('\0')[0];
 			this.keyType = this._certificate.readUInt32BE(0xC0);
 			this.certificateName = this._certificate.subarray(0xC4, 0x104).toString().split('\0')[0];
@@ -137,7 +146,7 @@ class NintendoCertificate {
 				this.consoleType = '3ds';
 			}
 
-			this._verifySignature();
+			this._verifySignatureECDSA(); // * Force it to use the expected certificate type
 		}
 	}