X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fhelpers%2Fpeertube-crypto.ts;h=9eb7823026cc3222bca162ed6841bef45152300d;hb=6ad88df896e359e428259ff511f6fca3675cb4af;hp=47f0243e7e5ee5bb4daeb5640d7b848659a62738;hpb=f5028693a896a3076dd286ac0030e3d8f78f5ebf;p=github%2FChocobozzz%2FPeerTube.git diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts index 47f0243e7..9eb782302 100644 --- a/server/helpers/peertube-crypto.ts +++ b/server/helpers/peertube-crypto.ts @@ -1,148 +1,152 @@ -import * as crypto from 'crypto' -import { join } from 'path' - -import { - SIGNATURE_ALGORITHM, - SIGNATURE_ENCODING, - PRIVATE_CERT_NAME, - CONFIG, - BCRYPT_SALT_SIZE, - PUBLIC_CERT_NAME -} from '../initializers' -import { - readFilePromise, - bcryptComparePromise, - bcryptGenSaltPromise, - bcryptHashPromise, - accessPromise, - opensslExecPromise -} from './core-utils' +import { Request } from 'express' +import { BCRYPT_SALT_SIZE, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers/constants' +import { createPrivateKey, getPublicKey, promisify1, promisify2, sha256 } from './core-utils' +import { jsonld } from './custom-jsonld-signature' import { logger } from './logger' +import { cloneDeep } from 'lodash' +import { createSign, createVerify } from 'crypto' +import { buildDigest } from '../lib/job-queue/handlers/utils/activitypub-http-utils' +import * as bcrypt from 'bcrypt' +import { MActor } from '../typings/models' -function checkSignature (publicKey: string, data: string, hexSignature: string) { - const verify = crypto.createVerify(SIGNATURE_ALGORITHM) - - let dataString - if (typeof data === 'string') { - dataString = data - } else { - try { - dataString = JSON.stringify(data) - } catch (err) { - logger.error('Cannot check signature.', err) - return false - } - } - - verify.update(dataString, 'utf8') +const bcryptComparePromise = promisify2(bcrypt.compare) +const bcryptGenSaltPromise = promisify1(bcrypt.genSalt) +const bcryptHashPromise = promisify2(bcrypt.hash) - const isValid = verify.verify(publicKey, hexSignature, SIGNATURE_ENCODING) - return isValid -} +const httpSignature = require('http-signature') -async function sign (data: string|Object) { - const sign = crypto.createSign(SIGNATURE_ALGORITHM) - - let dataString: string - if (typeof data === 'string') { - dataString = data - } else { - try { - dataString = JSON.stringify(data) - } catch (err) { - logger.error('Cannot sign data.', err) - return '' - } - } +async function createPrivateAndPublicKeys () { + logger.info('Generating a RSA key...') - sign.update(dataString, 'utf8') + const { key } = await createPrivateKey(PRIVATE_RSA_KEY_SIZE) + const { publicKey } = await getPublicKey(key) - const myKey = await getMyPrivateCert() - return await sign.sign(myKey, SIGNATURE_ENCODING) + return { privateKey: key, publicKey } } +// User password checks + function comparePassword (plainPassword: string, hashPassword: string) { return bcryptComparePromise(plainPassword, hashPassword) } -async function createCertsIfNotExist () { - const exist = await certsExist() - if (exist === true) { - return undefined +async function cryptPassword (password: string) { + const salt = await bcryptGenSaltPromise(BCRYPT_SALT_SIZE) + + return bcryptHashPromise(password, salt) +} + +// HTTP Signature + +function isHTTPSignatureDigestValid (rawBody: Buffer, req: Request): boolean { + if (req.headers[HTTP_SIGNATURE.HEADER_NAME] && req.headers['digest']) { + return buildDigest(rawBody.toString()) === req.headers['digest'] } - return await createCerts() + return true } -async function cryptPassword (password: string) { - const salt = await bcryptGenSaltPromise(BCRYPT_SALT_SIZE) +function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): boolean { + return httpSignature.verifySignature(httpSignatureParsed, actor.publicKey) === true +} - return await bcryptHashPromise(password, salt) +function parseHTTPSignature (req: Request, clockSkew?: number) { + return httpSignature.parse(req, { authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME, clockSkew }) } -function getMyPrivateCert () { - const certPath = join(CONFIG.STORAGE.CERT_DIR, PRIVATE_CERT_NAME) - return readFilePromise(certPath, 'utf8') +// JSONLD + +function isJsonLDSignatureVerified (fromActor: MActor, signedDocument: any): Promise { + if (signedDocument.signature.type === 'RsaSignature2017') { + return isJsonLDRSA2017Verified(fromActor, signedDocument) + } + + logger.warn('Unknown JSON LD signature %s.', signedDocument.signature.type, signedDocument) + + return Promise.resolve(false) } -function getMyPublicCert () { - const certPath = join(CONFIG.STORAGE.CERT_DIR, PUBLIC_CERT_NAME) - return readFilePromise(certPath, 'utf8') +// Backward compatibility with "other" implementations +async function isJsonLDRSA2017Verified (fromActor: MActor, signedDocument: any) { + const [ documentHash, optionsHash ] = await Promise.all([ + createDocWithoutSignatureHash(signedDocument), + createSignatureHash(signedDocument.signature) + ]) + + const toVerify = optionsHash + documentHash + + const verify = createVerify('RSA-SHA256') + verify.update(toVerify, 'utf8') + + return verify.verify(fromActor.publicKey, signedDocument.signature.signatureValue, 'base64') +} + +async function signJsonLDObject (byActor: MActor, data: any) { + const signature = { + type: 'RsaSignature2017', + creator: byActor.url, + created: new Date().toISOString() + } + + const [ documentHash, optionsHash ] = await Promise.all([ + createDocWithoutSignatureHash(data), + createSignatureHash(signature) + ]) + + const toSign = optionsHash + documentHash + + const sign = createSign('RSA-SHA256') + sign.update(toSign, 'utf8') + + const signatureValue = sign.sign(byActor.privateKey, 'base64') + Object.assign(signature, { signatureValue }) + + return Object.assign(data, { signature }) } // --------------------------------------------------------------------------- export { - checkSignature, + isHTTPSignatureDigestValid, + parseHTTPSignature, + isHTTPSignatureVerified, + isJsonLDSignatureVerified, comparePassword, - createCertsIfNotExist, + createPrivateAndPublicKeys, cryptPassword, - getMyPrivateCert, - getMyPublicCert, - sign + signJsonLDObject } // --------------------------------------------------------------------------- -async function certsExist () { - const certPath = join(CONFIG.STORAGE.CERT_DIR, PRIVATE_CERT_NAME) - - // If there is an error the certificates do not exist - try { - await accessPromise(certPath) - - return true - } catch { - return false - } +function hash (obj: any): Promise { + return jsonld.promises + .normalize(obj, { + algorithm: 'URDNA2015', + format: 'application/n-quads' + }) + .then(res => sha256(res)) } -async function createCerts () { - const exist = await certsExist() - if (exist === true) { - const errorMessage = 'Certs already exist.' - logger.warning(errorMessage) - throw new Error(errorMessage) - } +function createSignatureHash (signature: any) { + const signatureCopy = cloneDeep(signature) + Object.assign(signatureCopy, { + '@context': [ + 'https://w3id.org/security/v1', + { RsaSignature2017: 'https://w3id.org/security#RsaSignature2017' } + ] + }) - logger.info('Generating a RSA key...') + delete signatureCopy.type + delete signatureCopy.id + delete signatureCopy.signatureValue - const privateCertPath = join(CONFIG.STORAGE.CERT_DIR, PRIVATE_CERT_NAME) - const genRsaOptions = { - 'out': privateCertPath, - '2048': false - } - - await opensslExecPromise('genrsa', genRsaOptions) - logger.info('RSA key generated.') - logger.info('Managing public key...') + return hash(signatureCopy) +} - const publicCertPath = join(CONFIG.STORAGE.CERT_DIR, 'peertube.pub') - const rsaOptions = { - 'in': privateCertPath, - 'pubout': true, - 'out': publicCertPath - } +function createDocWithoutSignatureHash (doc: any) { + const docWithoutSignature = cloneDeep(doc) + delete docWithoutSignature.signature - await opensslExecPromise('rsa', rsaOptions) + return hash(docWithoutSignature) }