]>
Commit | Line | Data |
---|---|---|
1 | import { Request } from 'express' | |
2 | import { BCRYPT_SALT_SIZE, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants' | |
3 | import { createPrivateKey, getPublicKey, promisify1, promisify2, sha256 } from './core-utils' | |
4 | import { jsonld } from './custom-jsonld-signature' | |
5 | import { logger } from './logger' | |
6 | import { cloneDeep } from 'lodash' | |
7 | import { createSign, createVerify } from 'crypto' | |
8 | import * as bcrypt from 'bcrypt' | |
9 | import { MActor } from '../types/models' | |
10 | ||
11 | const bcryptComparePromise = promisify2<any, string, boolean>(bcrypt.compare) | |
12 | const bcryptGenSaltPromise = promisify1<number, string>(bcrypt.genSalt) | |
13 | const bcryptHashPromise = promisify2<any, string | number, string>(bcrypt.hash) | |
14 | ||
15 | const httpSignature = require('http-signature') | |
16 | ||
17 | async function createPrivateAndPublicKeys () { | |
18 | logger.info('Generating a RSA key...') | |
19 | ||
20 | const { key } = await createPrivateKey(PRIVATE_RSA_KEY_SIZE) | |
21 | const { publicKey } = await getPublicKey(key) | |
22 | ||
23 | return { privateKey: key, publicKey } | |
24 | } | |
25 | ||
26 | // User password checks | |
27 | ||
28 | function comparePassword (plainPassword: string, hashPassword: string) { | |
29 | return bcryptComparePromise(plainPassword, hashPassword) | |
30 | } | |
31 | ||
32 | async function cryptPassword (password: string) { | |
33 | const salt = await bcryptGenSaltPromise(BCRYPT_SALT_SIZE) | |
34 | ||
35 | return bcryptHashPromise(password, salt) | |
36 | } | |
37 | ||
38 | // HTTP Signature | |
39 | ||
40 | function isHTTPSignatureDigestValid (rawBody: Buffer, req: Request): boolean { | |
41 | if (req.headers[HTTP_SIGNATURE.HEADER_NAME] && req.headers['digest']) { | |
42 | return buildDigest(rawBody.toString()) === req.headers['digest'] | |
43 | } | |
44 | ||
45 | return true | |
46 | } | |
47 | ||
48 | function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): boolean { | |
49 | return httpSignature.verifySignature(httpSignatureParsed, actor.publicKey) === true | |
50 | } | |
51 | ||
52 | function parseHTTPSignature (req: Request, clockSkew?: number) { | |
53 | return httpSignature.parse(req, { clockSkew }) | |
54 | } | |
55 | ||
56 | // JSONLD | |
57 | ||
58 | function isJsonLDSignatureVerified (fromActor: MActor, signedDocument: any): Promise<boolean> { | |
59 | if (signedDocument.signature.type === 'RsaSignature2017') { | |
60 | return isJsonLDRSA2017Verified(fromActor, signedDocument) | |
61 | } | |
62 | ||
63 | logger.warn('Unknown JSON LD signature %s.', signedDocument.signature.type, signedDocument) | |
64 | ||
65 | return Promise.resolve(false) | |
66 | } | |
67 | ||
68 | // Backward compatibility with "other" implementations | |
69 | async function isJsonLDRSA2017Verified (fromActor: MActor, signedDocument: any) { | |
70 | const [ documentHash, optionsHash ] = await Promise.all([ | |
71 | createDocWithoutSignatureHash(signedDocument), | |
72 | createSignatureHash(signedDocument.signature) | |
73 | ]) | |
74 | ||
75 | const toVerify = optionsHash + documentHash | |
76 | ||
77 | const verify = createVerify('RSA-SHA256') | |
78 | verify.update(toVerify, 'utf8') | |
79 | ||
80 | return verify.verify(fromActor.publicKey, signedDocument.signature.signatureValue, 'base64') | |
81 | } | |
82 | ||
83 | async function signJsonLDObject (byActor: MActor, data: any) { | |
84 | const signature = { | |
85 | type: 'RsaSignature2017', | |
86 | creator: byActor.url, | |
87 | created: new Date().toISOString() | |
88 | } | |
89 | ||
90 | const [ documentHash, optionsHash ] = await Promise.all([ | |
91 | createDocWithoutSignatureHash(data), | |
92 | createSignatureHash(signature) | |
93 | ]) | |
94 | ||
95 | const toSign = optionsHash + documentHash | |
96 | ||
97 | const sign = createSign('RSA-SHA256') | |
98 | sign.update(toSign, 'utf8') | |
99 | ||
100 | const signatureValue = sign.sign(byActor.privateKey, 'base64') | |
101 | Object.assign(signature, { signatureValue }) | |
102 | ||
103 | return Object.assign(data, { signature }) | |
104 | } | |
105 | ||
106 | function buildDigest (body: any) { | |
107 | const rawBody = typeof body === 'string' ? body : JSON.stringify(body) | |
108 | ||
109 | return 'SHA-256=' + sha256(rawBody, 'base64') | |
110 | } | |
111 | ||
112 | // --------------------------------------------------------------------------- | |
113 | ||
114 | export { | |
115 | isHTTPSignatureDigestValid, | |
116 | parseHTTPSignature, | |
117 | isHTTPSignatureVerified, | |
118 | buildDigest, | |
119 | isJsonLDSignatureVerified, | |
120 | comparePassword, | |
121 | createPrivateAndPublicKeys, | |
122 | cryptPassword, | |
123 | signJsonLDObject | |
124 | } | |
125 | ||
126 | // --------------------------------------------------------------------------- | |
127 | ||
128 | function hash (obj: any): Promise<any> { | |
129 | return jsonld.promises | |
130 | .normalize(obj, { | |
131 | algorithm: 'URDNA2015', | |
132 | format: 'application/n-quads' | |
133 | }) | |
134 | .then(res => sha256(res)) | |
135 | } | |
136 | ||
137 | function createSignatureHash (signature: any) { | |
138 | const signatureCopy = cloneDeep(signature) | |
139 | Object.assign(signatureCopy, { | |
140 | '@context': [ | |
141 | 'https://w3id.org/security/v1', | |
142 | { RsaSignature2017: 'https://w3id.org/security#RsaSignature2017' } | |
143 | ] | |
144 | }) | |
145 | ||
146 | delete signatureCopy.type | |
147 | delete signatureCopy.id | |
148 | delete signatureCopy.signatureValue | |
149 | ||
150 | return hash(signatureCopy) | |
151 | } | |
152 | ||
153 | function createDocWithoutSignatureHash (doc: any) { | |
154 | const docWithoutSignature = cloneDeep(doc) | |
155 | delete docWithoutSignature.signature | |
156 | ||
157 | return hash(docWithoutSignature) | |
158 | } |