X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fhelpers%2Fpeertube-crypto.ts;h=95e78a9048ec34a0f31d6cb86ea0be579417f635;hb=ce1b5ba78c35cfd4df123cab49aef1d14ca0f9b7;hp=9eb7823026cc3222bca162ed6841bef45152300d;hpb=8c559fad1e1c4c2ab7f1388c73200aa4c6256d74;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts
index 9eb782302..95e78a904 100644
--- a/server/helpers/peertube-crypto.ts
+++ b/server/helpers/peertube-crypto.ts
@@ -1,32 +1,34 @@
+import { compare, genSalt, hash } from 'bcrypt'
+import { createCipheriv, createDecipheriv, createSign, createVerify } from 'crypto'
 import { Request } from 'express'
-import { BCRYPT_SALT_SIZE, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants'
-import { createPrivateKey, getPublicKey, promisify1, promisify2, sha256 } from './core-utils'
+import { cloneDeep } from 'lodash'
+import { promisify1, promisify2 } from '@shared/core-utils'
+import { sha256 } from '@shared/extra-utils'
+import { BCRYPT_SALT_SIZE, ENCRYPTION, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants'
+import { MActor } from '../types/models'
+import { generateRSAKeyPairPromise, randomBytesPromise, scryptPromise } from './core-utils'
 import { jsonld } from './custom-jsonld-signature'
 import { logger } from './logger'
-import { cloneDeep } from 'lodash'
-import { createSign, createVerify } from 'crypto'
-import { buildDigest } from '../lib/job-queue/handlers/utils/activitypub-http-utils'
-import * as bcrypt from 'bcrypt'
-import { MActor } from '../typings/models'
 
-const bcryptComparePromise = promisify2<any, string, boolean>(bcrypt.compare)
-const bcryptGenSaltPromise = promisify1<number, string>(bcrypt.genSalt)
-const bcryptHashPromise = promisify2<any, string | number, string>(bcrypt.hash)
+const bcryptComparePromise = promisify2<any, string, boolean>(compare)
+const bcryptGenSaltPromise = promisify1<number, string>(genSalt)
+const bcryptHashPromise = promisify2<any, string | number, string>(hash)
 
-const httpSignature = require('http-signature')
+const httpSignature = require('@peertube/http-signature')
 
-async function createPrivateAndPublicKeys () {
+function createPrivateAndPublicKeys () {
   logger.info('Generating a RSA key...')
 
-  const { key } = await createPrivateKey(PRIVATE_RSA_KEY_SIZE)
-  const { publicKey } = await getPublicKey(key)
-
-  return { privateKey: key, publicKey }
+  return generateRSAKeyPairPromise(PRIVATE_RSA_KEY_SIZE)
 }
 
+// ---------------------------------------------------------------------------
 // User password checks
+// ---------------------------------------------------------------------------
 
 function comparePassword (plainPassword: string, hashPassword: string) {
+  if (!plainPassword) return Promise.resolve(false)
+
   return bcryptComparePromise(plainPassword, hashPassword)
 }
 
@@ -36,7 +38,9 @@ async function cryptPassword (password: string) {
   return bcryptHashPromise(password, salt)
 }
 
+// ---------------------------------------------------------------------------
 // HTTP Signature
+// ---------------------------------------------------------------------------
 
 function isHTTPSignatureDigestValid (rawBody: Buffer, req: Request): boolean {
   if (req.headers[HTTP_SIGNATURE.HEADER_NAME] && req.headers['digest']) {
@@ -51,10 +55,23 @@ function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): bool
 }
 
 function parseHTTPSignature (req: Request, clockSkew?: number) {
-  return httpSignature.parse(req, { authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME, clockSkew })
+  const requiredHeaders = req.method === 'POST'
+    ? [ '(request-target)', 'host', 'digest' ]
+    : [ '(request-target)', 'host' ]
+
+  const parsed = httpSignature.parse(req, { clockSkew, headers: requiredHeaders })
+
+  const parsedHeaders = parsed.params.headers
+  if (!parsedHeaders.includes('date') && !parsedHeaders.includes('(created)')) {
+    throw new Error(`date or (created) must be included in signature`)
+  }
+
+  return parsed
 }
 
+// ---------------------------------------------------------------------------
 // JSONLD
+// ---------------------------------------------------------------------------
 
 function isJsonLDSignatureVerified (fromActor: MActor, signedDocument: any): Promise<boolean> {
   if (signedDocument.signature.type === 'RsaSignature2017') {
@@ -81,7 +98,7 @@ async function isJsonLDRSA2017Verified (fromActor: MActor, signedDocument: any)
   return verify.verify(fromActor.publicKey, signedDocument.signature.signatureValue, 'base64')
 }
 
-async function signJsonLDObject (byActor: MActor, data: any) {
+async function signJsonLDObject <T> (byActor: MActor, data: T) {
   const signature = {
     type: 'RsaSignature2017',
     creator: byActor.url,
@@ -106,26 +123,65 @@ async function signJsonLDObject (byActor: MActor, data: any) {
 
 // ---------------------------------------------------------------------------
 
+function buildDigest (body: any) {
+  const rawBody = typeof body === 'string' ? body : JSON.stringify(body)
+
+  return 'SHA-256=' + sha256(rawBody, 'base64')
+}
+
+// ---------------------------------------------------------------------------
+// Encryption
+// ---------------------------------------------------------------------------
+
+async function encrypt (str: string, secret: string) {
+  const iv = await randomBytesPromise(ENCRYPTION.IV)
+
+  const key = await scryptPromise(secret, ENCRYPTION.SALT, 32)
+  const cipher = createCipheriv(ENCRYPTION.ALGORITHM, key, iv)
+
+  let encrypted = iv.toString(ENCRYPTION.ENCODING) + ':'
+  encrypted += cipher.update(str, 'utf8', ENCRYPTION.ENCODING)
+  encrypted += cipher.final(ENCRYPTION.ENCODING)
+
+  return encrypted
+}
+
+async function decrypt (encryptedArg: string, secret: string) {
+  const [ ivStr, encryptedStr ] = encryptedArg.split(':')
+
+  const iv = Buffer.from(ivStr, 'hex')
+  const key = await scryptPromise(secret, ENCRYPTION.SALT, 32)
+
+  const decipher = createDecipheriv(ENCRYPTION.ALGORITHM, key, iv)
+
+  return decipher.update(encryptedStr, ENCRYPTION.ENCODING, 'utf8') + decipher.final('utf8')
+}
+
+// ---------------------------------------------------------------------------
+
 export {
   isHTTPSignatureDigestValid,
   parseHTTPSignature,
   isHTTPSignatureVerified,
+  buildDigest,
   isJsonLDSignatureVerified,
   comparePassword,
   createPrivateAndPublicKeys,
   cryptPassword,
-  signJsonLDObject
+  signJsonLDObject,
+
+  encrypt,
+  decrypt
 }
 
 // ---------------------------------------------------------------------------
 
-function hash (obj: any): Promise<any> {
-  return jsonld.promises
-               .normalize(obj, {
-                 algorithm: 'URDNA2015',
-                 format: 'application/n-quads'
-               })
-               .then(res => sha256(res))
+function hashObject (obj: any): Promise<any> {
+  return jsonld.promises.normalize(obj, {
+    safe: false,
+    algorithm: 'URDNA2015',
+    format: 'application/n-quads'
+  }).then(res => sha256(res))
 }
 
 function createSignatureHash (signature: any) {
@@ -141,12 +197,12 @@ function createSignatureHash (signature: any) {
   delete signatureCopy.id
   delete signatureCopy.signatureValue
 
-  return hash(signatureCopy)
+  return hashObject(signatureCopy)
 }
 
 function createDocWithoutSignatureHash (doc: any) {
   const docWithoutSignature = cloneDeep(doc)
   delete docWithoutSignature.signature
 
-  return hash(docWithoutSignature)
+  return hashObject(docWithoutSignature)
 }