aboutsummaryrefslogtreecommitdiffhomepage
path: root/server/helpers
diff options
context:
space:
mode:
authorChocobozzz <me@florianbigard.com>2018-10-19 11:41:19 +0200
committerChocobozzz <me@florianbigard.com>2018-10-19 12:59:52 +0200
commitf7509cbec875ec4ee3201cce08839f2a02676c1c (patch)
tree5dbfcff41a175aa7d4b7d396ca90fe26049d0164 /server/helpers
parent333210d862fdba4bb114b756d4f964789f480196 (diff)
downloadPeerTube-f7509cbec875ec4ee3201cce08839f2a02676c1c.tar.gz
PeerTube-f7509cbec875ec4ee3201cce08839f2a02676c1c.tar.zst
PeerTube-f7509cbec875ec4ee3201cce08839f2a02676c1c.zip
Add HTTP signature check before linked signature
It's faster, and will allow us to use RSA signature 2018 (with upstream jsonld-signature module) without too much incompatibilities in the peertube federation
Diffstat (limited to 'server/helpers')
-rw-r--r--server/helpers/activitypub.ts32
-rw-r--r--server/helpers/peertube-crypto.ts70
2 files changed, 63 insertions, 39 deletions
diff --git a/server/helpers/activitypub.ts b/server/helpers/activitypub.ts
index 1304c7559..278010e78 100644
--- a/server/helpers/activitypub.ts
+++ b/server/helpers/activitypub.ts
@@ -4,7 +4,7 @@ import { ResultList } from '../../shared/models'
4import { Activity, ActivityPubActor } from '../../shared/models/activitypub' 4import { Activity, ActivityPubActor } from '../../shared/models/activitypub'
5import { ACTIVITY_PUB } from '../initializers' 5import { ACTIVITY_PUB } from '../initializers'
6import { ActorModel } from '../models/activitypub/actor' 6import { ActorModel } from '../models/activitypub/actor'
7import { signObject } from './peertube-crypto' 7import { signJsonLDObject } from './peertube-crypto'
8import { pageToStartAndCount } from './core-utils' 8import { pageToStartAndCount } from './core-utils'
9 9
10function activityPubContextify <T> (data: T) { 10function activityPubContextify <T> (data: T) {
@@ -15,22 +15,22 @@ function activityPubContextify <T> (data: T) {
15 { 15 {
16 RsaSignature2017: 'https://w3id.org/security#RsaSignature2017', 16 RsaSignature2017: 'https://w3id.org/security#RsaSignature2017',
17 pt: 'https://joinpeertube.org/ns', 17 pt: 'https://joinpeertube.org/ns',
18 schema: 'http://schema.org#', 18 sc: 'http://schema.org#',
19 Hashtag: 'as:Hashtag', 19 Hashtag: 'as:Hashtag',
20 uuid: 'schema:identifier', 20 uuid: 'sc:identifier',
21 category: 'schema:category', 21 category: 'sc:category',
22 licence: 'schema:license', 22 licence: 'sc:license',
23 subtitleLanguage: 'schema:subtitleLanguage', 23 subtitleLanguage: 'sc:subtitleLanguage',
24 sensitive: 'as:sensitive', 24 sensitive: 'as:sensitive',
25 language: 'schema:inLanguage', 25 language: 'sc:inLanguage',
26 views: 'schema:Number', 26 views: 'sc:Number',
27 stats: 'schema:Number', 27 stats: 'sc:Number',
28 size: 'schema:Number', 28 size: 'sc:Number',
29 fps: 'schema:Number', 29 fps: 'sc:Number',
30 commentsEnabled: 'schema:Boolean', 30 commentsEnabled: 'sc:Boolean',
31 waitTranscoding: 'schema:Boolean', 31 waitTranscoding: 'sc:Boolean',
32 expires: 'schema:expires', 32 expires: 'sc:expires',
33 support: 'schema:Text', 33 support: 'sc:Text',
34 CacheFile: 'pt:CacheFile' 34 CacheFile: 'pt:CacheFile'
35 }, 35 },
36 { 36 {
@@ -102,7 +102,7 @@ async function activityPubCollectionPagination (url: string, handler: ActivityPu
102function buildSignedActivity (byActor: ActorModel, data: Object) { 102function buildSignedActivity (byActor: ActorModel, data: Object) {
103 const activity = activityPubContextify(data) 103 const activity = activityPubContextify(data)
104 104
105 return signObject(byActor, activity) as Promise<Activity> 105 return signJsonLDObject(byActor, activity) as Promise<Activity>
106} 106}
107 107
108function getActorUrl (activityActor: string | ActivityPubActor) { 108function getActorUrl (activityActor: string | ActivityPubActor) {
diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts
index 5c182961d..cb5f27240 100644
--- a/server/helpers/peertube-crypto.ts
+++ b/server/helpers/peertube-crypto.ts
@@ -1,9 +1,12 @@
1import { BCRYPT_SALT_SIZE, PRIVATE_RSA_KEY_SIZE } from '../initializers' 1import { Request } from 'express'
2import { BCRYPT_SALT_SIZE, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers'
2import { ActorModel } from '../models/activitypub/actor' 3import { ActorModel } from '../models/activitypub/actor'
3import { bcryptComparePromise, bcryptGenSaltPromise, bcryptHashPromise, createPrivateKey, getPublicKey } from './core-utils' 4import { bcryptComparePromise, bcryptGenSaltPromise, bcryptHashPromise, createPrivateKey, getPublicKey } from './core-utils'
4import { jsig } from './custom-jsonld-signature' 5import { jsig } from './custom-jsonld-signature'
5import { logger } from './logger' 6import { logger } from './logger'
6 7
8const httpSignature = require('http-signature')
9
7async function createPrivateAndPublicKeys () { 10async function createPrivateAndPublicKeys () {
8 logger.info('Generating a RSA key...') 11 logger.info('Generating a RSA key...')
9 12
@@ -13,18 +16,42 @@ async function createPrivateAndPublicKeys () {
13 return { privateKey: key, publicKey } 16 return { privateKey: key, publicKey }
14} 17}
15 18
16function isSignatureVerified (fromActor: ActorModel, signedDocument: object) { 19// User password checks
20
21function comparePassword (plainPassword: string, hashPassword: string) {
22 return bcryptComparePromise(plainPassword, hashPassword)
23}
24
25async function cryptPassword (password: string) {
26 const salt = await bcryptGenSaltPromise(BCRYPT_SALT_SIZE)
27
28 return bcryptHashPromise(password, salt)
29}
30
31// HTTP Signature
32
33function isHTTPSignatureVerified (httpSignatureParsed: any, actor: ActorModel) {
34 return httpSignature.verifySignature(httpSignatureParsed, actor.publicKey) === true
35}
36
37function parseHTTPSignature (req: Request) {
38 return httpSignature.parse(req, { authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME })
39}
40
41// JSONLD
42
43function isJsonLDSignatureVerified (fromActor: ActorModel, signedDocument: any) {
17 const publicKeyObject = { 44 const publicKeyObject = {
18 '@context': jsig.SECURITY_CONTEXT_URL, 45 '@context': jsig.SECURITY_CONTEXT_URL,
19 '@id': fromActor.url, 46 id: fromActor.url,
20 '@type': 'CryptographicKey', 47 type: 'CryptographicKey',
21 owner: fromActor.url, 48 owner: fromActor.url,
22 publicKeyPem: fromActor.publicKey 49 publicKeyPem: fromActor.publicKey
23 } 50 }
24 51
25 const publicKeyOwnerObject = { 52 const publicKeyOwnerObject = {
26 '@context': jsig.SECURITY_CONTEXT_URL, 53 '@context': jsig.SECURITY_CONTEXT_URL,
27 '@id': fromActor.url, 54 id: fromActor.url,
28 publicKey: [ publicKeyObject ] 55 publicKey: [ publicKeyObject ]
29 } 56 }
30 57
@@ -33,14 +60,19 @@ function isSignatureVerified (fromActor: ActorModel, signedDocument: object) {
33 publicKeyOwner: publicKeyOwnerObject 60 publicKeyOwner: publicKeyOwnerObject
34 } 61 }
35 62
36 return jsig.promises.verify(signedDocument, options) 63 return jsig.promises
37 .catch(err => { 64 .verify(signedDocument, options)
38 logger.error('Cannot check signature.', { err }) 65 .then((result: { verified: boolean }) => {
39 return false 66 logger.info('coucou', result)
40 }) 67 return result.verified
68 })
69 .catch(err => {
70 logger.error('Cannot check signature.', { err })
71 return false
72 })
41} 73}
42 74
43function signObject (byActor: ActorModel, data: any) { 75function signJsonLDObject (byActor: ActorModel, data: any) {
44 const options = { 76 const options = {
45 privateKeyPem: byActor.privateKey, 77 privateKeyPem: byActor.privateKey,
46 creator: byActor.url, 78 creator: byActor.url,
@@ -50,22 +82,14 @@ function signObject (byActor: ActorModel, data: any) {
50 return jsig.promises.sign(data, options) 82 return jsig.promises.sign(data, options)
51} 83}
52 84
53function comparePassword (plainPassword: string, hashPassword: string) {
54 return bcryptComparePromise(plainPassword, hashPassword)
55}
56
57async function cryptPassword (password: string) {
58 const salt = await bcryptGenSaltPromise(BCRYPT_SALT_SIZE)
59
60 return bcryptHashPromise(password, salt)
61}
62
63// --------------------------------------------------------------------------- 85// ---------------------------------------------------------------------------
64 86
65export { 87export {
66 isSignatureVerified, 88 parseHTTPSignature,
89 isHTTPSignatureVerified,
90 isJsonLDSignatureVerified,
67 comparePassword, 91 comparePassword,
68 createPrivateAndPublicKeys, 92 createPrivateAndPublicKeys,
69 cryptPassword, 93 cryptPassword,
70 signObject 94 signJsonLDObject
71} 95}