diff options
author | Chocobozzz <me@florianbigard.com> | 2018-10-19 11:41:19 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-10-19 12:59:52 +0200 |
commit | f7509cbec875ec4ee3201cce08839f2a02676c1c (patch) | |
tree | 5dbfcff41a175aa7d4b7d396ca90fe26049d0164 /server/helpers/peertube-crypto.ts | |
parent | 333210d862fdba4bb114b756d4f964789f480196 (diff) | |
download | PeerTube-f7509cbec875ec4ee3201cce08839f2a02676c1c.tar.gz PeerTube-f7509cbec875ec4ee3201cce08839f2a02676c1c.tar.zst PeerTube-f7509cbec875ec4ee3201cce08839f2a02676c1c.zip |
Add HTTP signature check before linked signature
It's faster, and will allow us to use RSA signature 2018 (with upstream
jsonld-signature module) without too much incompatibilities in the
peertube federation
Diffstat (limited to 'server/helpers/peertube-crypto.ts')
-rw-r--r-- | server/helpers/peertube-crypto.ts | 70 |
1 files changed, 47 insertions, 23 deletions
diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts index 5c182961d..cb5f27240 100644 --- a/server/helpers/peertube-crypto.ts +++ b/server/helpers/peertube-crypto.ts | |||
@@ -1,9 +1,12 @@ | |||
1 | import { BCRYPT_SALT_SIZE, PRIVATE_RSA_KEY_SIZE } from '../initializers' | 1 | import { Request } from 'express' |
2 | import { BCRYPT_SALT_SIZE, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers' | ||
2 | import { ActorModel } from '../models/activitypub/actor' | 3 | import { ActorModel } from '../models/activitypub/actor' |
3 | import { bcryptComparePromise, bcryptGenSaltPromise, bcryptHashPromise, createPrivateKey, getPublicKey } from './core-utils' | 4 | import { bcryptComparePromise, bcryptGenSaltPromise, bcryptHashPromise, createPrivateKey, getPublicKey } from './core-utils' |
4 | import { jsig } from './custom-jsonld-signature' | 5 | import { jsig } from './custom-jsonld-signature' |
5 | import { logger } from './logger' | 6 | import { logger } from './logger' |
6 | 7 | ||
8 | const httpSignature = require('http-signature') | ||
9 | |||
7 | async function createPrivateAndPublicKeys () { | 10 | async function createPrivateAndPublicKeys () { |
8 | logger.info('Generating a RSA key...') | 11 | logger.info('Generating a RSA key...') |
9 | 12 | ||
@@ -13,18 +16,42 @@ async function createPrivateAndPublicKeys () { | |||
13 | return { privateKey: key, publicKey } | 16 | return { privateKey: key, publicKey } |
14 | } | 17 | } |
15 | 18 | ||
16 | function isSignatureVerified (fromActor: ActorModel, signedDocument: object) { | 19 | // User password checks |
20 | |||
21 | function comparePassword (plainPassword: string, hashPassword: string) { | ||
22 | return bcryptComparePromise(plainPassword, hashPassword) | ||
23 | } | ||
24 | |||
25 | async function cryptPassword (password: string) { | ||
26 | const salt = await bcryptGenSaltPromise(BCRYPT_SALT_SIZE) | ||
27 | |||
28 | return bcryptHashPromise(password, salt) | ||
29 | } | ||
30 | |||
31 | // HTTP Signature | ||
32 | |||
33 | function isHTTPSignatureVerified (httpSignatureParsed: any, actor: ActorModel) { | ||
34 | return httpSignature.verifySignature(httpSignatureParsed, actor.publicKey) === true | ||
35 | } | ||
36 | |||
37 | function parseHTTPSignature (req: Request) { | ||
38 | return httpSignature.parse(req, { authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME }) | ||
39 | } | ||
40 | |||
41 | // JSONLD | ||
42 | |||
43 | function isJsonLDSignatureVerified (fromActor: ActorModel, signedDocument: any) { | ||
17 | const publicKeyObject = { | 44 | const publicKeyObject = { |
18 | '@context': jsig.SECURITY_CONTEXT_URL, | 45 | '@context': jsig.SECURITY_CONTEXT_URL, |
19 | '@id': fromActor.url, | 46 | id: fromActor.url, |
20 | '@type': 'CryptographicKey', | 47 | type: 'CryptographicKey', |
21 | owner: fromActor.url, | 48 | owner: fromActor.url, |
22 | publicKeyPem: fromActor.publicKey | 49 | publicKeyPem: fromActor.publicKey |
23 | } | 50 | } |
24 | 51 | ||
25 | const publicKeyOwnerObject = { | 52 | const publicKeyOwnerObject = { |
26 | '@context': jsig.SECURITY_CONTEXT_URL, | 53 | '@context': jsig.SECURITY_CONTEXT_URL, |
27 | '@id': fromActor.url, | 54 | id: fromActor.url, |
28 | publicKey: [ publicKeyObject ] | 55 | publicKey: [ publicKeyObject ] |
29 | } | 56 | } |
30 | 57 | ||
@@ -33,14 +60,19 @@ function isSignatureVerified (fromActor: ActorModel, signedDocument: object) { | |||
33 | publicKeyOwner: publicKeyOwnerObject | 60 | publicKeyOwner: publicKeyOwnerObject |
34 | } | 61 | } |
35 | 62 | ||
36 | return jsig.promises.verify(signedDocument, options) | 63 | return jsig.promises |
37 | .catch(err => { | 64 | .verify(signedDocument, options) |
38 | logger.error('Cannot check signature.', { err }) | 65 | .then((result: { verified: boolean }) => { |
39 | return false | 66 | logger.info('coucou', result) |
40 | }) | 67 | return result.verified |
68 | }) | ||
69 | .catch(err => { | ||
70 | logger.error('Cannot check signature.', { err }) | ||
71 | return false | ||
72 | }) | ||
41 | } | 73 | } |
42 | 74 | ||
43 | function signObject (byActor: ActorModel, data: any) { | 75 | function signJsonLDObject (byActor: ActorModel, data: any) { |
44 | const options = { | 76 | const options = { |
45 | privateKeyPem: byActor.privateKey, | 77 | privateKeyPem: byActor.privateKey, |
46 | creator: byActor.url, | 78 | creator: byActor.url, |
@@ -50,22 +82,14 @@ function signObject (byActor: ActorModel, data: any) { | |||
50 | return jsig.promises.sign(data, options) | 82 | return jsig.promises.sign(data, options) |
51 | } | 83 | } |
52 | 84 | ||
53 | function comparePassword (plainPassword: string, hashPassword: string) { | ||
54 | return bcryptComparePromise(plainPassword, hashPassword) | ||
55 | } | ||
56 | |||
57 | async function cryptPassword (password: string) { | ||
58 | const salt = await bcryptGenSaltPromise(BCRYPT_SALT_SIZE) | ||
59 | |||
60 | return bcryptHashPromise(password, salt) | ||
61 | } | ||
62 | |||
63 | // --------------------------------------------------------------------------- | 85 | // --------------------------------------------------------------------------- |
64 | 86 | ||
65 | export { | 87 | export { |
66 | isSignatureVerified, | 88 | parseHTTPSignature, |
89 | isHTTPSignatureVerified, | ||
90 | isJsonLDSignatureVerified, | ||
67 | comparePassword, | 91 | comparePassword, |
68 | createPrivateAndPublicKeys, | 92 | createPrivateAndPublicKeys, |
69 | cryptPassword, | 93 | cryptPassword, |
70 | signObject | 94 | signJsonLDObject |
71 | } | 95 | } |