]>
Commit | Line | Data |
---|---|---|
41f2ebae | 1 | import { Request } from 'express' |
74dc3bca | 2 | import { BCRYPT_SALT_SIZE, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants' |
8d2be0ed | 3 | import { createPrivateKey, getPublicKey, promisify1, promisify2, sha256 } from './core-utils' |
ad513607 | 4 | import { jsonld } from './custom-jsonld-signature' |
8d468a16 | 5 | import { logger } from './logger' |
df66d815 | 6 | import { cloneDeep } from 'lodash' |
ad513607 | 7 | import { createSign, createVerify } from 'crypto' |
df66d815 | 8 | import { buildDigest } from '../lib/job-queue/handlers/utils/activitypub-http-utils' |
8d2be0ed | 9 | import * as bcrypt from 'bcrypt' |
453e83ea | 10 | import { MActor } from '../typings/models' |
8d2be0ed C |
11 | |
12 | const bcryptComparePromise = promisify2<any, string, boolean>(bcrypt.compare) | |
13 | const bcryptGenSaltPromise = promisify1<number, string>(bcrypt.genSalt) | |
14 | const bcryptHashPromise = promisify2<any, string | number, string>(bcrypt.hash) | |
9f10b292 | 15 | |
41f2ebae C |
16 | const httpSignature = require('http-signature') |
17 | ||
e4f97bab C |
18 | async function createPrivateAndPublicKeys () { |
19 | logger.info('Generating a RSA key...') | |
bdfbd4f1 | 20 | |
e4f97bab C |
21 | const { key } = await createPrivateKey(PRIVATE_RSA_KEY_SIZE) |
22 | const { publicKey } = await getPublicKey(key) | |
bdfbd4f1 | 23 | |
e4f97bab | 24 | return { privateKey: key, publicKey } |
9f10b292 C |
25 | } |
26 | ||
41f2ebae C |
27 | // User password checks |
28 | ||
29 | function comparePassword (plainPassword: string, hashPassword: string) { | |
30 | return bcryptComparePromise(plainPassword, hashPassword) | |
31 | } | |
32 | ||
33 | async function cryptPassword (password: string) { | |
34 | const salt = await bcryptGenSaltPromise(BCRYPT_SALT_SIZE) | |
35 | ||
36 | return bcryptHashPromise(password, salt) | |
37 | } | |
38 | ||
39 | // HTTP Signature | |
40 | ||
df66d815 C |
41 | function isHTTPSignatureDigestValid (rawBody: Buffer, req: Request): boolean { |
42 | if (req.headers[HTTP_SIGNATURE.HEADER_NAME] && req.headers['digest']) { | |
43 | return buildDigest(rawBody.toString()) === req.headers['digest'] | |
44 | } | |
45 | ||
46 | return true | |
47 | } | |
48 | ||
453e83ea | 49 | function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): boolean { |
41f2ebae C |
50 | return httpSignature.verifySignature(httpSignatureParsed, actor.publicKey) === true |
51 | } | |
52 | ||
df66d815 | 53 | function parseHTTPSignature (req: Request, clockSkew?: number) { |
e9226905 | 54 | return httpSignature.parse(req, { clockSkew }) |
41f2ebae C |
55 | } |
56 | ||
57 | // JSONLD | |
58 | ||
ad513607 | 59 | function isJsonLDSignatureVerified (fromActor: MActor, signedDocument: any): Promise<boolean> { |
df66d815 | 60 | if (signedDocument.signature.type === 'RsaSignature2017') { |
ad513607 | 61 | return isJsonLDRSA2017Verified(fromActor, signedDocument) |
df66d815 C |
62 | } |
63 | ||
ad513607 | 64 | logger.warn('Unknown JSON LD signature %s.', signedDocument.signature.type, signedDocument) |
bdfbd4f1 | 65 | |
ad513607 | 66 | return Promise.resolve(false) |
26d7d31b C |
67 | } |
68 | ||
df66d815 | 69 | // Backward compatibility with "other" implementations |
453e83ea | 70 | async function isJsonLDRSA2017Verified (fromActor: MActor, signedDocument: any) { |
df66d815 | 71 | const [ documentHash, optionsHash ] = await Promise.all([ |
ad513607 C |
72 | createDocWithoutSignatureHash(signedDocument), |
73 | createSignatureHash(signedDocument.signature) | |
df66d815 C |
74 | ]) |
75 | ||
76 | const toVerify = optionsHash + documentHash | |
77 | ||
78 | const verify = createVerify('RSA-SHA256') | |
79 | verify.update(toVerify, 'utf8') | |
80 | ||
81 | return verify.verify(fromActor.publicKey, signedDocument.signature.signatureValue, 'base64') | |
82 | } | |
83 | ||
ad513607 C |
84 | async function signJsonLDObject (byActor: MActor, data: any) { |
85 | const signature = { | |
86 | type: 'RsaSignature2017', | |
ce33ee01 | 87 | creator: byActor.url, |
ad513607 | 88 | created: new Date().toISOString() |
f5028693 | 89 | } |
9f10b292 | 90 | |
ad513607 C |
91 | const [ documentHash, optionsHash ] = await Promise.all([ |
92 | createDocWithoutSignatureHash(data), | |
93 | createSignatureHash(signature) | |
94 | ]) | |
95 | ||
96 | const toSign = optionsHash + documentHash | |
97 | ||
98 | const sign = createSign('RSA-SHA256') | |
99 | sign.update(toSign, 'utf8') | |
100 | ||
101 | const signatureValue = sign.sign(byActor.privateKey, 'base64') | |
102 | Object.assign(signature, { signatureValue }) | |
103 | ||
104 | return Object.assign(data, { signature }) | |
e4f97bab C |
105 | } |
106 | ||
9f10b292 | 107 | // --------------------------------------------------------------------------- |
dac0a531 | 108 | |
65fcc311 | 109 | export { |
df66d815 | 110 | isHTTPSignatureDigestValid, |
41f2ebae C |
111 | parseHTTPSignature, |
112 | isHTTPSignatureVerified, | |
113 | isJsonLDSignatureVerified, | |
65fcc311 | 114 | comparePassword, |
e4f97bab | 115 | createPrivateAndPublicKeys, |
65fcc311 | 116 | cryptPassword, |
41f2ebae | 117 | signJsonLDObject |
9f10b292 | 118 | } |
8d2be0ed C |
119 | |
120 | // --------------------------------------------------------------------------- | |
ad513607 C |
121 | |
122 | function hash (obj: any): Promise<any> { | |
123 | return jsonld.promises | |
124 | .normalize(obj, { | |
125 | algorithm: 'URDNA2015', | |
126 | format: 'application/n-quads' | |
127 | }) | |
128 | .then(res => sha256(res)) | |
129 | } | |
130 | ||
131 | function createSignatureHash (signature: any) { | |
132 | const signatureCopy = cloneDeep(signature) | |
133 | Object.assign(signatureCopy, { | |
134 | '@context': [ | |
135 | 'https://w3id.org/security/v1', | |
136 | { RsaSignature2017: 'https://w3id.org/security#RsaSignature2017' } | |
137 | ] | |
138 | }) | |
139 | ||
140 | delete signatureCopy.type | |
141 | delete signatureCopy.id | |
142 | delete signatureCopy.signatureValue | |
143 | ||
144 | return hash(signatureCopy) | |
145 | } | |
146 | ||
147 | function createDocWithoutSignatureHash (doc: any) { | |
148 | const docWithoutSignature = cloneDeep(doc) | |
149 | delete docWithoutSignature.signature | |
150 | ||
151 | return hash(docWithoutSignature) | |
152 | } |