]>
Commit | Line | Data |
---|---|---|
41fb13c3 | 1 | import { compare, genSalt, hash } from 'bcrypt' |
a3e5f804 | 2 | import { createCipheriv, createDecipheriv, createSign, createVerify } from 'crypto' |
41f2ebae | 3 | import { Request } from 'express' |
41fb13c3 | 4 | import { cloneDeep } from 'lodash' |
0c9668f7 | 5 | import { promisify1, promisify2 } from '@shared/core-utils' |
f304a158 | 6 | import { sha256 } from '@shared/extra-utils' |
a3e5f804 | 7 | import { BCRYPT_SALT_SIZE, ENCRYPTION, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants' |
41fb13c3 | 8 | import { MActor } from '../types/models' |
0c9668f7 | 9 | import { generateRSAKeyPairPromise, randomBytesPromise, scryptPromise } from './core-utils' |
ad513607 | 10 | import { jsonld } from './custom-jsonld-signature' |
8d468a16 | 11 | import { logger } from './logger' |
8d2be0ed | 12 | |
41fb13c3 C |
13 | const bcryptComparePromise = promisify2<any, string, boolean>(compare) |
14 | const bcryptGenSaltPromise = promisify1<number, string>(genSalt) | |
15 | const bcryptHashPromise = promisify2<any, string | number, string>(hash) | |
9f10b292 | 16 | |
5842a854 | 17 | const httpSignature = require('@peertube/http-signature') |
41f2ebae | 18 | |
5d7cb63e | 19 | function createPrivateAndPublicKeys () { |
e4f97bab | 20 | logger.info('Generating a RSA key...') |
bdfbd4f1 | 21 | |
5d7cb63e | 22 | return generateRSAKeyPairPromise(PRIVATE_RSA_KEY_SIZE) |
9f10b292 C |
23 | } |
24 | ||
a3e5f804 | 25 | // --------------------------------------------------------------------------- |
41f2ebae | 26 | // User password checks |
a3e5f804 | 27 | // --------------------------------------------------------------------------- |
41f2ebae C |
28 | |
29 | function comparePassword (plainPassword: string, hashPassword: string) { | |
2166c058 C |
30 | if (!plainPassword) return Promise.resolve(false) |
31 | ||
41f2ebae C |
32 | return bcryptComparePromise(plainPassword, hashPassword) |
33 | } | |
34 | ||
35 | async function cryptPassword (password: string) { | |
36 | const salt = await bcryptGenSaltPromise(BCRYPT_SALT_SIZE) | |
37 | ||
38 | return bcryptHashPromise(password, salt) | |
39 | } | |
40 | ||
a3e5f804 | 41 | // --------------------------------------------------------------------------- |
41f2ebae | 42 | // HTTP Signature |
a3e5f804 | 43 | // --------------------------------------------------------------------------- |
41f2ebae | 44 | |
df66d815 C |
45 | function isHTTPSignatureDigestValid (rawBody: Buffer, req: Request): boolean { |
46 | if (req.headers[HTTP_SIGNATURE.HEADER_NAME] && req.headers['digest']) { | |
47 | return buildDigest(rawBody.toString()) === req.headers['digest'] | |
48 | } | |
49 | ||
50 | return true | |
51 | } | |
52 | ||
453e83ea | 53 | function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): boolean { |
41f2ebae C |
54 | return httpSignature.verifySignature(httpSignatureParsed, actor.publicKey) === true |
55 | } | |
56 | ||
df66d815 | 57 | function parseHTTPSignature (req: Request, clockSkew?: number) { |
e08ec7a7 C |
58 | const requiredHeaders = req.method === 'POST' |
59 | ? [ '(request-target)', 'host', 'digest' ] | |
60 | : [ '(request-target)', 'host' ] | |
797d05bd | 61 | |
e08ec7a7 C |
62 | const parsed = httpSignature.parse(req, { clockSkew, headers: requiredHeaders }) |
63 | ||
64 | const parsedHeaders = parsed.params.headers | |
65 | if (!parsedHeaders.includes('date') && !parsedHeaders.includes('(created)')) { | |
66 | throw new Error(`date or (created) must be included in signature`) | |
67 | } | |
68 | ||
69 | return parsed | |
41f2ebae C |
70 | } |
71 | ||
a3e5f804 | 72 | // --------------------------------------------------------------------------- |
41f2ebae | 73 | // JSONLD |
a3e5f804 | 74 | // --------------------------------------------------------------------------- |
41f2ebae | 75 | |
ad513607 | 76 | function isJsonLDSignatureVerified (fromActor: MActor, signedDocument: any): Promise<boolean> { |
df66d815 | 77 | if (signedDocument.signature.type === 'RsaSignature2017') { |
ad513607 | 78 | return isJsonLDRSA2017Verified(fromActor, signedDocument) |
df66d815 C |
79 | } |
80 | ||
ad513607 | 81 | logger.warn('Unknown JSON LD signature %s.', signedDocument.signature.type, signedDocument) |
bdfbd4f1 | 82 | |
ad513607 | 83 | return Promise.resolve(false) |
26d7d31b C |
84 | } |
85 | ||
df66d815 | 86 | // Backward compatibility with "other" implementations |
453e83ea | 87 | async function isJsonLDRSA2017Verified (fromActor: MActor, signedDocument: any) { |
df66d815 | 88 | const [ documentHash, optionsHash ] = await Promise.all([ |
ad513607 C |
89 | createDocWithoutSignatureHash(signedDocument), |
90 | createSignatureHash(signedDocument.signature) | |
df66d815 C |
91 | ]) |
92 | ||
93 | const toVerify = optionsHash + documentHash | |
94 | ||
95 | const verify = createVerify('RSA-SHA256') | |
96 | verify.update(toVerify, 'utf8') | |
97 | ||
98 | return verify.verify(fromActor.publicKey, signedDocument.signature.signatureValue, 'base64') | |
99 | } | |
100 | ||
db4b15f2 | 101 | async function signJsonLDObject <T> (byActor: MActor, data: T) { |
ad513607 C |
102 | const signature = { |
103 | type: 'RsaSignature2017', | |
ce33ee01 | 104 | creator: byActor.url, |
ad513607 | 105 | created: new Date().toISOString() |
f5028693 | 106 | } |
9f10b292 | 107 | |
ad513607 C |
108 | const [ documentHash, optionsHash ] = await Promise.all([ |
109 | createDocWithoutSignatureHash(data), | |
110 | createSignatureHash(signature) | |
111 | ]) | |
112 | ||
113 | const toSign = optionsHash + documentHash | |
114 | ||
115 | const sign = createSign('RSA-SHA256') | |
116 | sign.update(toSign, 'utf8') | |
117 | ||
118 | const signatureValue = sign.sign(byActor.privateKey, 'base64') | |
119 | Object.assign(signature, { signatureValue }) | |
120 | ||
121 | return Object.assign(data, { signature }) | |
e4f97bab C |
122 | } |
123 | ||
a3e5f804 C |
124 | // --------------------------------------------------------------------------- |
125 | ||
8dc8a34e C |
126 | function buildDigest (body: any) { |
127 | const rawBody = typeof body === 'string' ? body : JSON.stringify(body) | |
128 | ||
129 | return 'SHA-256=' + sha256(rawBody, 'base64') | |
130 | } | |
131 | ||
a3e5f804 C |
132 | // --------------------------------------------------------------------------- |
133 | // Encryption | |
134 | // --------------------------------------------------------------------------- | |
135 | ||
136 | async function encrypt (str: string, secret: string) { | |
137 | const iv = await randomBytesPromise(ENCRYPTION.IV) | |
138 | ||
139 | const key = await scryptPromise(secret, ENCRYPTION.SALT, 32) | |
140 | const cipher = createCipheriv(ENCRYPTION.ALGORITHM, key, iv) | |
141 | ||
142 | let encrypted = iv.toString(ENCRYPTION.ENCODING) + ':' | |
143 | encrypted += cipher.update(str, 'utf8', ENCRYPTION.ENCODING) | |
144 | encrypted += cipher.final(ENCRYPTION.ENCODING) | |
145 | ||
146 | return encrypted | |
147 | } | |
148 | ||
149 | async function decrypt (encryptedArg: string, secret: string) { | |
150 | const [ ivStr, encryptedStr ] = encryptedArg.split(':') | |
151 | ||
152 | const iv = Buffer.from(ivStr, 'hex') | |
153 | const key = await scryptPromise(secret, ENCRYPTION.SALT, 32) | |
154 | ||
155 | const decipher = createDecipheriv(ENCRYPTION.ALGORITHM, key, iv) | |
156 | ||
157 | return decipher.update(encryptedStr, ENCRYPTION.ENCODING, 'utf8') + decipher.final('utf8') | |
158 | } | |
159 | ||
9f10b292 | 160 | // --------------------------------------------------------------------------- |
dac0a531 | 161 | |
65fcc311 | 162 | export { |
df66d815 | 163 | isHTTPSignatureDigestValid, |
41f2ebae C |
164 | parseHTTPSignature, |
165 | isHTTPSignatureVerified, | |
8dc8a34e | 166 | buildDigest, |
41f2ebae | 167 | isJsonLDSignatureVerified, |
65fcc311 | 168 | comparePassword, |
e4f97bab | 169 | createPrivateAndPublicKeys, |
65fcc311 | 170 | cryptPassword, |
a3e5f804 C |
171 | signJsonLDObject, |
172 | ||
173 | encrypt, | |
174 | decrypt | |
9f10b292 | 175 | } |
8d2be0ed C |
176 | |
177 | // --------------------------------------------------------------------------- | |
ad513607 | 178 | |
41fb13c3 | 179 | function hashObject (obj: any): Promise<any> { |
edacb640 C |
180 | return jsonld.promises.normalize(obj, { |
181 | safe: false, | |
182 | algorithm: 'URDNA2015', | |
183 | format: 'application/n-quads' | |
184 | }).then(res => sha256(res)) | |
ad513607 C |
185 | } |
186 | ||
187 | function createSignatureHash (signature: any) { | |
188 | const signatureCopy = cloneDeep(signature) | |
189 | Object.assign(signatureCopy, { | |
190 | '@context': [ | |
191 | 'https://w3id.org/security/v1', | |
192 | { RsaSignature2017: 'https://w3id.org/security#RsaSignature2017' } | |
193 | ] | |
194 | }) | |
195 | ||
196 | delete signatureCopy.type | |
197 | delete signatureCopy.id | |
198 | delete signatureCopy.signatureValue | |
199 | ||
41fb13c3 | 200 | return hashObject(signatureCopy) |
ad513607 C |
201 | } |
202 | ||
203 | function createDocWithoutSignatureHash (doc: any) { | |
204 | const docWithoutSignature = cloneDeep(doc) | |
205 | delete docWithoutSignature.signature | |
206 | ||
41fb13c3 | 207 | return hashObject(docWithoutSignature) |
ad513607 | 208 | } |