1 import { Request } from 'express'
2 import { BCRYPT_SALT_SIZE, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants'
3 import { createPrivateKey, getPublicKey, promisify1, promisify2, sha256 } from './core-utils'
4 import { jsonld } from './custom-jsonld-signature'
5 import { logger } from './logger'
6 import { cloneDeep } from 'lodash'
7 import { createSign, createVerify } from 'crypto'
8 import * as bcrypt from 'bcrypt'
9 import { MActor } from '../types/models'
11 const bcryptComparePromise = promisify2<any, string, boolean>(bcrypt.compare)
12 const bcryptGenSaltPromise = promisify1<number, string>(bcrypt.genSalt)
13 const bcryptHashPromise = promisify2<any, string | number, string>(bcrypt.hash)
15 const httpSignature = require('http-signature')
17 async function createPrivateAndPublicKeys () {
18 logger.info('Generating a RSA key...')
20 const { key } = await createPrivateKey(PRIVATE_RSA_KEY_SIZE)
21 const { publicKey } = await getPublicKey(key)
23 return { privateKey: key, publicKey }
26 // User password checks
28 function comparePassword (plainPassword: string, hashPassword: string) {
29 return bcryptComparePromise(plainPassword, hashPassword)
32 async function cryptPassword (password: string) {
33 const salt = await bcryptGenSaltPromise(BCRYPT_SALT_SIZE)
35 return bcryptHashPromise(password, salt)
40 function isHTTPSignatureDigestValid (rawBody: Buffer, req: Request): boolean {
41 if (req.headers[HTTP_SIGNATURE.HEADER_NAME] && req.headers['digest']) {
42 return buildDigest(rawBody.toString()) === req.headers['digest']
48 function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): boolean {
49 return httpSignature.verifySignature(httpSignatureParsed, actor.publicKey) === true
52 function parseHTTPSignature (req: Request, clockSkew?: number) {
53 const headers = req.method === 'POST'
54 ? HTTP_SIGNATURE.REQUIRED_HEADERS.POST
55 : HTTP_SIGNATURE.REQUIRED_HEADERS.ALL
57 return httpSignature.parse(req, { clockSkew, headers })
62 function isJsonLDSignatureVerified (fromActor: MActor, signedDocument: any): Promise<boolean> {
63 if (signedDocument.signature.type === 'RsaSignature2017') {
64 return isJsonLDRSA2017Verified(fromActor, signedDocument)
67 logger.warn('Unknown JSON LD signature %s.', signedDocument.signature.type, signedDocument)
69 return Promise.resolve(false)
72 // Backward compatibility with "other" implementations
73 async function isJsonLDRSA2017Verified (fromActor: MActor, signedDocument: any) {
74 const [ documentHash, optionsHash ] = await Promise.all([
75 createDocWithoutSignatureHash(signedDocument),
76 createSignatureHash(signedDocument.signature)
79 const toVerify = optionsHash + documentHash
81 const verify = createVerify('RSA-SHA256')
82 verify.update(toVerify, 'utf8')
84 return verify.verify(fromActor.publicKey, signedDocument.signature.signatureValue, 'base64')
87 async function signJsonLDObject <T> (byActor: MActor, data: T) {
89 type: 'RsaSignature2017',
91 created: new Date().toISOString()
94 const [ documentHash, optionsHash ] = await Promise.all([
95 createDocWithoutSignatureHash(data),
96 createSignatureHash(signature)
99 const toSign = optionsHash + documentHash
101 const sign = createSign('RSA-SHA256')
102 sign.update(toSign, 'utf8')
104 const signatureValue = sign.sign(byActor.privateKey, 'base64')
105 Object.assign(signature, { signatureValue })
107 return Object.assign(data, { signature })
110 function buildDigest (body: any) {
111 const rawBody = typeof body === 'string' ? body : JSON.stringify(body)
113 return 'SHA-256=' + sha256(rawBody, 'base64')
116 // ---------------------------------------------------------------------------
119 isHTTPSignatureDigestValid,
121 isHTTPSignatureVerified,
123 isJsonLDSignatureVerified,
125 createPrivateAndPublicKeys,
130 // ---------------------------------------------------------------------------
132 function hash (obj: any): Promise<any> {
133 return jsonld.promises
135 algorithm: 'URDNA2015',
136 format: 'application/n-quads'
138 .then(res => sha256(res))
141 function createSignatureHash (signature: any) {
142 const signatureCopy = cloneDeep(signature)
143 Object.assign(signatureCopy, {
145 'https://w3id.org/security/v1',
146 { RsaSignature2017: 'https://w3id.org/security#RsaSignature2017' }
150 delete signatureCopy.type
151 delete signatureCopy.id
152 delete signatureCopy.signatureValue
154 return hash(signatureCopy)
157 function createDocWithoutSignatureHash (doc: any) {
158 const docWithoutSignature = cloneDeep(doc)
159 delete docWithoutSignature.signature
161 return hash(docWithoutSignature)