]>
Commit | Line | Data |
---|---|---|
41f2ebae | 1 | import { Request } from 'express' |
74dc3bca | 2 | import { BCRYPT_SALT_SIZE, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants' |
50d6de9c | 3 | import { ActorModel } from '../models/activitypub/actor' |
8d2be0ed | 4 | import { createPrivateKey, getPublicKey, promisify1, promisify2, sha256 } from './core-utils' |
df66d815 | 5 | import { jsig, jsonld } from './custom-jsonld-signature' |
8d468a16 | 6 | import { logger } from './logger' |
df66d815 C |
7 | import { cloneDeep } from 'lodash' |
8 | import { createVerify } from 'crypto' | |
9 | import { buildDigest } from '../lib/job-queue/handlers/utils/activitypub-http-utils' | |
8d2be0ed | 10 | import * as bcrypt from 'bcrypt' |
453e83ea | 11 | import { MActor } from '../typings/models' |
8d2be0ed C |
12 | |
13 | const bcryptComparePromise = promisify2<any, string, boolean>(bcrypt.compare) | |
14 | const bcryptGenSaltPromise = promisify1<number, string>(bcrypt.genSalt) | |
15 | const bcryptHashPromise = promisify2<any, string | number, string>(bcrypt.hash) | |
9f10b292 | 16 | |
41f2ebae C |
17 | const httpSignature = require('http-signature') |
18 | ||
e4f97bab C |
19 | async function createPrivateAndPublicKeys () { |
20 | logger.info('Generating a RSA key...') | |
bdfbd4f1 | 21 | |
e4f97bab C |
22 | const { key } = await createPrivateKey(PRIVATE_RSA_KEY_SIZE) |
23 | const { publicKey } = await getPublicKey(key) | |
bdfbd4f1 | 24 | |
e4f97bab | 25 | return { privateKey: key, publicKey } |
9f10b292 C |
26 | } |
27 | ||
41f2ebae C |
28 | // User password checks |
29 | ||
30 | function comparePassword (plainPassword: string, hashPassword: string) { | |
31 | return bcryptComparePromise(plainPassword, hashPassword) | |
32 | } | |
33 | ||
34 | async function cryptPassword (password: string) { | |
35 | const salt = await bcryptGenSaltPromise(BCRYPT_SALT_SIZE) | |
36 | ||
37 | return bcryptHashPromise(password, salt) | |
38 | } | |
39 | ||
40 | // HTTP Signature | |
41 | ||
df66d815 C |
42 | function isHTTPSignatureDigestValid (rawBody: Buffer, req: Request): boolean { |
43 | if (req.headers[HTTP_SIGNATURE.HEADER_NAME] && req.headers['digest']) { | |
44 | return buildDigest(rawBody.toString()) === req.headers['digest'] | |
45 | } | |
46 | ||
47 | return true | |
48 | } | |
49 | ||
453e83ea | 50 | function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): boolean { |
41f2ebae C |
51 | return httpSignature.verifySignature(httpSignatureParsed, actor.publicKey) === true |
52 | } | |
53 | ||
df66d815 C |
54 | function parseHTTPSignature (req: Request, clockSkew?: number) { |
55 | return httpSignature.parse(req, { authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME, clockSkew }) | |
41f2ebae C |
56 | } |
57 | ||
58 | // JSONLD | |
59 | ||
453e83ea | 60 | async function isJsonLDSignatureVerified (fromActor: MActor, signedDocument: any): Promise<boolean> { |
df66d815 C |
61 | if (signedDocument.signature.type === 'RsaSignature2017') { |
62 | // Mastodon algorithm | |
63 | const res = await isJsonLDRSA2017Verified(fromActor, signedDocument) | |
64 | // Success? If no, try with our library | |
65 | if (res === true) return true | |
66 | } | |
67 | ||
e4f97bab C |
68 | const publicKeyObject = { |
69 | '@context': jsig.SECURITY_CONTEXT_URL, | |
41f2ebae | 70 | id: fromActor.url, |
df66d815 | 71 | type: 'CryptographicKey', |
50d6de9c C |
72 | owner: fromActor.url, |
73 | publicKeyPem: fromActor.publicKey | |
bdfbd4f1 C |
74 | } |
75 | ||
e4f97bab C |
76 | const publicKeyOwnerObject = { |
77 | '@context': jsig.SECURITY_CONTEXT_URL, | |
41f2ebae | 78 | id: fromActor.url, |
e4f97bab C |
79 | publicKey: [ publicKeyObject ] |
80 | } | |
bdfbd4f1 | 81 | |
e4f97bab C |
82 | const options = { |
83 | publicKey: publicKeyObject, | |
84 | publicKeyOwner: publicKeyOwnerObject | |
85 | } | |
bdfbd4f1 | 86 | |
41f2ebae C |
87 | return jsig.promises |
88 | .verify(signedDocument, options) | |
40ed9f6a | 89 | .then((result: { verified: boolean }) => result.verified) |
41f2ebae C |
90 | .catch(err => { |
91 | logger.error('Cannot check signature.', { err }) | |
92 | return false | |
93 | }) | |
26d7d31b C |
94 | } |
95 | ||
df66d815 | 96 | // Backward compatibility with "other" implementations |
453e83ea | 97 | async function isJsonLDRSA2017Verified (fromActor: MActor, signedDocument: any) { |
df66d815 C |
98 | function hash (obj: any): Promise<any> { |
99 | return jsonld.promises | |
100 | .normalize(obj, { | |
101 | algorithm: 'URDNA2015', | |
102 | format: 'application/n-quads' | |
103 | }) | |
104 | .then(res => sha256(res)) | |
105 | } | |
106 | ||
107 | const signatureCopy = cloneDeep(signedDocument.signature) | |
108 | Object.assign(signatureCopy, { | |
109 | '@context': [ | |
110 | 'https://w3id.org/security/v1', | |
111 | { RsaSignature2017: 'https://w3id.org/security#RsaSignature2017' } | |
112 | ] | |
113 | }) | |
114 | delete signatureCopy.type | |
115 | delete signatureCopy.id | |
116 | delete signatureCopy.signatureValue | |
117 | ||
118 | const docWithoutSignature = cloneDeep(signedDocument) | |
119 | delete docWithoutSignature.signature | |
120 | ||
121 | const [ documentHash, optionsHash ] = await Promise.all([ | |
122 | hash(docWithoutSignature), | |
123 | hash(signatureCopy) | |
124 | ]) | |
125 | ||
126 | const toVerify = optionsHash + documentHash | |
127 | ||
128 | const verify = createVerify('RSA-SHA256') | |
129 | verify.update(toVerify, 'utf8') | |
130 | ||
131 | return verify.verify(fromActor.publicKey, signedDocument.signature.signatureValue, 'base64') | |
132 | } | |
133 | ||
453e83ea | 134 | function signJsonLDObject (byActor: MActor, data: any) { |
e4f97bab | 135 | const options = { |
50d6de9c | 136 | privateKeyPem: byActor.privateKey, |
ce33ee01 C |
137 | creator: byActor.url, |
138 | algorithm: 'RsaSignature2017' | |
f5028693 | 139 | } |
9f10b292 | 140 | |
efc32059 | 141 | return jsig.promises.sign(data, options) |
e4f97bab C |
142 | } |
143 | ||
9f10b292 | 144 | // --------------------------------------------------------------------------- |
dac0a531 | 145 | |
65fcc311 | 146 | export { |
df66d815 | 147 | isHTTPSignatureDigestValid, |
41f2ebae C |
148 | parseHTTPSignature, |
149 | isHTTPSignatureVerified, | |
150 | isJsonLDSignatureVerified, | |
65fcc311 | 151 | comparePassword, |
e4f97bab | 152 | createPrivateAndPublicKeys, |
65fcc311 | 153 | cryptPassword, |
41f2ebae | 154 | signJsonLDObject |
9f10b292 | 155 | } |
8d2be0ed C |
156 | |
157 | // --------------------------------------------------------------------------- |