diff options
author | Chocobozzz <me@florianbigard.com> | 2018-10-19 11:41:19 +0200 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2018-10-19 12:59:52 +0200 |
commit | f7509cbec875ec4ee3201cce08839f2a02676c1c (patch) | |
tree | 5dbfcff41a175aa7d4b7d396ca90fe26049d0164 /server | |
parent | 333210d862fdba4bb114b756d4f964789f480196 (diff) | |
download | PeerTube-f7509cbec875ec4ee3201cce08839f2a02676c1c.tar.gz PeerTube-f7509cbec875ec4ee3201cce08839f2a02676c1c.tar.zst PeerTube-f7509cbec875ec4ee3201cce08839f2a02676c1c.zip |
Add HTTP signature check before linked signature
It's faster, and will allow us to use RSA signature 2018 (with upstream
jsonld-signature module) without too much incompatibilities in the
peertube federation
Diffstat (limited to 'server')
-rw-r--r-- | server/helpers/activitypub.ts | 32 | ||||
-rw-r--r-- | server/helpers/peertube-crypto.ts | 70 | ||||
-rw-r--r-- | server/initializers/constants.ts | 7 | ||||
-rw-r--r-- | server/lib/job-queue/handlers/utils/activitypub-http-utils.ts | 7 | ||||
-rw-r--r-- | server/middlewares/activitypub.ts | 94 | ||||
-rw-r--r-- | server/middlewares/validators/activitypub/signature.ts | 16 |
6 files changed, 162 insertions, 64 deletions
diff --git a/server/helpers/activitypub.ts b/server/helpers/activitypub.ts index 1304c7559..278010e78 100644 --- a/server/helpers/activitypub.ts +++ b/server/helpers/activitypub.ts | |||
@@ -4,7 +4,7 @@ import { ResultList } from '../../shared/models' | |||
4 | import { Activity, ActivityPubActor } from '../../shared/models/activitypub' | 4 | import { Activity, ActivityPubActor } from '../../shared/models/activitypub' |
5 | import { ACTIVITY_PUB } from '../initializers' | 5 | import { ACTIVITY_PUB } from '../initializers' |
6 | import { ActorModel } from '../models/activitypub/actor' | 6 | import { ActorModel } from '../models/activitypub/actor' |
7 | import { signObject } from './peertube-crypto' | 7 | import { signJsonLDObject } from './peertube-crypto' |
8 | import { pageToStartAndCount } from './core-utils' | 8 | import { pageToStartAndCount } from './core-utils' |
9 | 9 | ||
10 | function activityPubContextify <T> (data: T) { | 10 | function activityPubContextify <T> (data: T) { |
@@ -15,22 +15,22 @@ function activityPubContextify <T> (data: T) { | |||
15 | { | 15 | { |
16 | RsaSignature2017: 'https://w3id.org/security#RsaSignature2017', | 16 | RsaSignature2017: 'https://w3id.org/security#RsaSignature2017', |
17 | pt: 'https://joinpeertube.org/ns', | 17 | pt: 'https://joinpeertube.org/ns', |
18 | schema: 'http://schema.org#', | 18 | sc: 'http://schema.org#', |
19 | Hashtag: 'as:Hashtag', | 19 | Hashtag: 'as:Hashtag', |
20 | uuid: 'schema:identifier', | 20 | uuid: 'sc:identifier', |
21 | category: 'schema:category', | 21 | category: 'sc:category', |
22 | licence: 'schema:license', | 22 | licence: 'sc:license', |
23 | subtitleLanguage: 'schema:subtitleLanguage', | 23 | subtitleLanguage: 'sc:subtitleLanguage', |
24 | sensitive: 'as:sensitive', | 24 | sensitive: 'as:sensitive', |
25 | language: 'schema:inLanguage', | 25 | language: 'sc:inLanguage', |
26 | views: 'schema:Number', | 26 | views: 'sc:Number', |
27 | stats: 'schema:Number', | 27 | stats: 'sc:Number', |
28 | size: 'schema:Number', | 28 | size: 'sc:Number', |
29 | fps: 'schema:Number', | 29 | fps: 'sc:Number', |
30 | commentsEnabled: 'schema:Boolean', | 30 | commentsEnabled: 'sc:Boolean', |
31 | waitTranscoding: 'schema:Boolean', | 31 | waitTranscoding: 'sc:Boolean', |
32 | expires: 'schema:expires', | 32 | expires: 'sc:expires', |
33 | support: 'schema:Text', | 33 | support: 'sc:Text', |
34 | CacheFile: 'pt:CacheFile' | 34 | CacheFile: 'pt:CacheFile' |
35 | }, | 35 | }, |
36 | { | 36 | { |
@@ -102,7 +102,7 @@ async function activityPubCollectionPagination (url: string, handler: ActivityPu | |||
102 | function buildSignedActivity (byActor: ActorModel, data: Object) { | 102 | function buildSignedActivity (byActor: ActorModel, data: Object) { |
103 | const activity = activityPubContextify(data) | 103 | const activity = activityPubContextify(data) |
104 | 104 | ||
105 | return signObject(byActor, activity) as Promise<Activity> | 105 | return signJsonLDObject(byActor, activity) as Promise<Activity> |
106 | } | 106 | } |
107 | 107 | ||
108 | function getActorUrl (activityActor: string | ActivityPubActor) { | 108 | function getActorUrl (activityActor: string | ActivityPubActor) { |
diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts index 5c182961d..cb5f27240 100644 --- a/server/helpers/peertube-crypto.ts +++ b/server/helpers/peertube-crypto.ts | |||
@@ -1,9 +1,12 @@ | |||
1 | import { BCRYPT_SALT_SIZE, PRIVATE_RSA_KEY_SIZE } from '../initializers' | 1 | import { Request } from 'express' |
2 | import { BCRYPT_SALT_SIZE, HTTP_SIGNATURE, PRIVATE_RSA_KEY_SIZE } from '../initializers' | ||
2 | import { ActorModel } from '../models/activitypub/actor' | 3 | import { ActorModel } from '../models/activitypub/actor' |
3 | import { bcryptComparePromise, bcryptGenSaltPromise, bcryptHashPromise, createPrivateKey, getPublicKey } from './core-utils' | 4 | import { bcryptComparePromise, bcryptGenSaltPromise, bcryptHashPromise, createPrivateKey, getPublicKey } from './core-utils' |
4 | import { jsig } from './custom-jsonld-signature' | 5 | import { jsig } from './custom-jsonld-signature' |
5 | import { logger } from './logger' | 6 | import { logger } from './logger' |
6 | 7 | ||
8 | const httpSignature = require('http-signature') | ||
9 | |||
7 | async function createPrivateAndPublicKeys () { | 10 | async function createPrivateAndPublicKeys () { |
8 | logger.info('Generating a RSA key...') | 11 | logger.info('Generating a RSA key...') |
9 | 12 | ||
@@ -13,18 +16,42 @@ async function createPrivateAndPublicKeys () { | |||
13 | return { privateKey: key, publicKey } | 16 | return { privateKey: key, publicKey } |
14 | } | 17 | } |
15 | 18 | ||
16 | function isSignatureVerified (fromActor: ActorModel, signedDocument: object) { | 19 | // User password checks |
20 | |||
21 | function comparePassword (plainPassword: string, hashPassword: string) { | ||
22 | return bcryptComparePromise(plainPassword, hashPassword) | ||
23 | } | ||
24 | |||
25 | async function cryptPassword (password: string) { | ||
26 | const salt = await bcryptGenSaltPromise(BCRYPT_SALT_SIZE) | ||
27 | |||
28 | return bcryptHashPromise(password, salt) | ||
29 | } | ||
30 | |||
31 | // HTTP Signature | ||
32 | |||
33 | function isHTTPSignatureVerified (httpSignatureParsed: any, actor: ActorModel) { | ||
34 | return httpSignature.verifySignature(httpSignatureParsed, actor.publicKey) === true | ||
35 | } | ||
36 | |||
37 | function parseHTTPSignature (req: Request) { | ||
38 | return httpSignature.parse(req, { authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME }) | ||
39 | } | ||
40 | |||
41 | // JSONLD | ||
42 | |||
43 | function isJsonLDSignatureVerified (fromActor: ActorModel, signedDocument: any) { | ||
17 | const publicKeyObject = { | 44 | const publicKeyObject = { |
18 | '@context': jsig.SECURITY_CONTEXT_URL, | 45 | '@context': jsig.SECURITY_CONTEXT_URL, |
19 | '@id': fromActor.url, | 46 | id: fromActor.url, |
20 | '@type': 'CryptographicKey', | 47 | type: 'CryptographicKey', |
21 | owner: fromActor.url, | 48 | owner: fromActor.url, |
22 | publicKeyPem: fromActor.publicKey | 49 | publicKeyPem: fromActor.publicKey |
23 | } | 50 | } |
24 | 51 | ||
25 | const publicKeyOwnerObject = { | 52 | const publicKeyOwnerObject = { |
26 | '@context': jsig.SECURITY_CONTEXT_URL, | 53 | '@context': jsig.SECURITY_CONTEXT_URL, |
27 | '@id': fromActor.url, | 54 | id: fromActor.url, |
28 | publicKey: [ publicKeyObject ] | 55 | publicKey: [ publicKeyObject ] |
29 | } | 56 | } |
30 | 57 | ||
@@ -33,14 +60,19 @@ function isSignatureVerified (fromActor: ActorModel, signedDocument: object) { | |||
33 | publicKeyOwner: publicKeyOwnerObject | 60 | publicKeyOwner: publicKeyOwnerObject |
34 | } | 61 | } |
35 | 62 | ||
36 | return jsig.promises.verify(signedDocument, options) | 63 | return jsig.promises |
37 | .catch(err => { | 64 | .verify(signedDocument, options) |
38 | logger.error('Cannot check signature.', { err }) | 65 | .then((result: { verified: boolean }) => { |
39 | return false | 66 | logger.info('coucou', result) |
40 | }) | 67 | return result.verified |
68 | }) | ||
69 | .catch(err => { | ||
70 | logger.error('Cannot check signature.', { err }) | ||
71 | return false | ||
72 | }) | ||
41 | } | 73 | } |
42 | 74 | ||
43 | function signObject (byActor: ActorModel, data: any) { | 75 | function signJsonLDObject (byActor: ActorModel, data: any) { |
44 | const options = { | 76 | const options = { |
45 | privateKeyPem: byActor.privateKey, | 77 | privateKeyPem: byActor.privateKey, |
46 | creator: byActor.url, | 78 | creator: byActor.url, |
@@ -50,22 +82,14 @@ function signObject (byActor: ActorModel, data: any) { | |||
50 | return jsig.promises.sign(data, options) | 82 | return jsig.promises.sign(data, options) |
51 | } | 83 | } |
52 | 84 | ||
53 | function comparePassword (plainPassword: string, hashPassword: string) { | ||
54 | return bcryptComparePromise(plainPassword, hashPassword) | ||
55 | } | ||
56 | |||
57 | async function cryptPassword (password: string) { | ||
58 | const salt = await bcryptGenSaltPromise(BCRYPT_SALT_SIZE) | ||
59 | |||
60 | return bcryptHashPromise(password, salt) | ||
61 | } | ||
62 | |||
63 | // --------------------------------------------------------------------------- | 85 | // --------------------------------------------------------------------------- |
64 | 86 | ||
65 | export { | 87 | export { |
66 | isSignatureVerified, | 88 | parseHTTPSignature, |
89 | isHTTPSignatureVerified, | ||
90 | isJsonLDSignatureVerified, | ||
67 | comparePassword, | 91 | comparePassword, |
68 | createPrivateAndPublicKeys, | 92 | createPrivateAndPublicKeys, |
69 | cryptPassword, | 93 | cryptPassword, |
70 | signObject | 94 | signJsonLDObject |
71 | } | 95 | } |
diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts index 1a3b52015..fd2308eb6 100644 --- a/server/initializers/constants.ts +++ b/server/initializers/constants.ts | |||
@@ -529,6 +529,12 @@ const ACTIVITY_PUB_ACTOR_TYPES: { [ id: string ]: ActivityPubActorType } = { | |||
529 | APPLICATION: 'Application' | 529 | APPLICATION: 'Application' |
530 | } | 530 | } |
531 | 531 | ||
532 | const HTTP_SIGNATURE = { | ||
533 | HEADER_NAME: 'signature', | ||
534 | ALGORITHM: 'rsa-sha256', | ||
535 | HEADERS_TO_SIGN: [ 'date', 'host', 'digest', '(request-target)' ] | ||
536 | } | ||
537 | |||
532 | // --------------------------------------------------------------------------- | 538 | // --------------------------------------------------------------------------- |
533 | 539 | ||
534 | const PRIVATE_RSA_KEY_SIZE = 2048 | 540 | const PRIVATE_RSA_KEY_SIZE = 2048 |
@@ -728,6 +734,7 @@ export { | |||
728 | VIDEO_EXT_MIMETYPE, | 734 | VIDEO_EXT_MIMETYPE, |
729 | CRAWL_REQUEST_CONCURRENCY, | 735 | CRAWL_REQUEST_CONCURRENCY, |
730 | JOB_COMPLETED_LIFETIME, | 736 | JOB_COMPLETED_LIFETIME, |
737 | HTTP_SIGNATURE, | ||
731 | VIDEO_IMPORT_STATES, | 738 | VIDEO_IMPORT_STATES, |
732 | VIDEO_VIEW_LIFETIME, | 739 | VIDEO_VIEW_LIFETIME, |
733 | buildLanguages | 740 | buildLanguages |
diff --git a/server/lib/job-queue/handlers/utils/activitypub-http-utils.ts b/server/lib/job-queue/handlers/utils/activitypub-http-utils.ts index d71c91a24..fd9c74341 100644 --- a/server/lib/job-queue/handlers/utils/activitypub-http-utils.ts +++ b/server/lib/job-queue/handlers/utils/activitypub-http-utils.ts | |||
@@ -2,6 +2,7 @@ import { buildSignedActivity } from '../../../../helpers/activitypub' | |||
2 | import { getServerActor } from '../../../../helpers/utils' | 2 | import { getServerActor } from '../../../../helpers/utils' |
3 | import { ActorModel } from '../../../../models/activitypub/actor' | 3 | import { ActorModel } from '../../../../models/activitypub/actor' |
4 | import { sha256 } from '../../../../helpers/core-utils' | 4 | import { sha256 } from '../../../../helpers/core-utils' |
5 | import { HTTP_SIGNATURE } from '../../../../initializers' | ||
5 | 6 | ||
6 | type Payload = { body: any, signatureActorId?: number } | 7 | type Payload = { body: any, signatureActorId?: number } |
7 | 8 | ||
@@ -29,11 +30,11 @@ async function buildSignedRequestOptions (payload: Payload) { | |||
29 | 30 | ||
30 | const keyId = actor.getWebfingerUrl() | 31 | const keyId = actor.getWebfingerUrl() |
31 | return { | 32 | return { |
32 | algorithm: 'rsa-sha256', | 33 | algorithm: HTTP_SIGNATURE.ALGORITHM, |
33 | authorizationHeaderName: 'Signature', | 34 | authorizationHeaderName: HTTP_SIGNATURE.HEADER_NAME, |
34 | keyId, | 35 | keyId, |
35 | key: actor.privateKey, | 36 | key: actor.privateKey, |
36 | headers: [ 'date', 'host', 'digest', '(request-target)' ] | 37 | headers: HTTP_SIGNATURE.HEADERS_TO_SIGN |
37 | } | 38 | } |
38 | } | 39 | } |
39 | 40 | ||
diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index d7f59be8c..1ec888477 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts | |||
@@ -2,34 +2,32 @@ import { eachSeries } from 'async' | |||
2 | import { NextFunction, Request, RequestHandler, Response } from 'express' | 2 | import { NextFunction, Request, RequestHandler, Response } from 'express' |
3 | import { ActivityPubSignature } from '../../shared' | 3 | import { ActivityPubSignature } from '../../shared' |
4 | import { logger } from '../helpers/logger' | 4 | import { logger } from '../helpers/logger' |
5 | import { isSignatureVerified } from '../helpers/peertube-crypto' | 5 | import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' |
6 | import { ACCEPT_HEADERS, ACTIVITY_PUB } from '../initializers' | 6 | import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers' |
7 | import { getOrCreateActorAndServerAndModel } from '../lib/activitypub' | 7 | import { getOrCreateActorAndServerAndModel } from '../lib/activitypub' |
8 | import { ActorModel } from '../models/activitypub/actor' | 8 | import { ActorModel } from '../models/activitypub/actor' |
9 | import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' | ||
9 | 10 | ||
10 | async function checkSignature (req: Request, res: Response, next: NextFunction) { | 11 | async function checkSignature (req: Request, res: Response, next: NextFunction) { |
11 | const signatureObject: ActivityPubSignature = req.body.signature | 12 | try { |
13 | const httpSignatureChecked = await checkHttpSignature(req, res) | ||
14 | if (httpSignatureChecked !== true) return | ||
12 | 15 | ||
13 | const [ creator ] = signatureObject.creator.split('#') | 16 | const actor: ActorModel = res.locals.signature.actor |
14 | 17 | ||
15 | logger.debug('Checking signature of actor %s...', creator) | 18 | // Forwarded activity |
19 | const bodyActor = req.body.actor | ||
20 | const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor | ||
21 | if (bodyActorId && bodyActorId !== actor.url) { | ||
22 | const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) | ||
23 | if (jsonLDSignatureChecked !== true) return | ||
24 | } | ||
16 | 25 | ||
17 | let actor: ActorModel | 26 | return next() |
18 | try { | ||
19 | actor = await getOrCreateActorAndServerAndModel(creator) | ||
20 | } catch (err) { | 27 | } catch (err) { |
21 | logger.warn('Cannot create remote actor %s and check signature.', creator, { err }) | 28 | logger.error('Error in ActivityPub signature checker.', err) |
22 | return res.sendStatus(403) | 29 | return res.sendStatus(403) |
23 | } | 30 | } |
24 | |||
25 | const verified = await isSignatureVerified(actor, req.body) | ||
26 | if (verified === false) return res.sendStatus(403) | ||
27 | |||
28 | res.locals.signature = { | ||
29 | actor | ||
30 | } | ||
31 | |||
32 | return next() | ||
33 | } | 31 | } |
34 | 32 | ||
35 | function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) { | 33 | function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) { |
@@ -57,3 +55,63 @@ export { | |||
57 | checkSignature, | 55 | checkSignature, |
58 | executeIfActivityPub | 56 | executeIfActivityPub |
59 | } | 57 | } |
58 | |||
59 | // --------------------------------------------------------------------------- | ||
60 | |||
61 | async function checkHttpSignature (req: Request, res: Response) { | ||
62 | // FIXME: mastodon does not include the Signature scheme | ||
63 | const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string | ||
64 | if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig | ||
65 | |||
66 | const parsed = parseHTTPSignature(req) | ||
67 | |||
68 | const keyId = parsed.keyId | ||
69 | if (!keyId) { | ||
70 | res.sendStatus(403) | ||
71 | return false | ||
72 | } | ||
73 | |||
74 | logger.debug('Checking HTTP signature of actor %s...', keyId) | ||
75 | |||
76 | let [ actorUrl ] = keyId.split('#') | ||
77 | if (actorUrl.startsWith('acct:')) { | ||
78 | actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) | ||
79 | } | ||
80 | |||
81 | const actor = await getOrCreateActorAndServerAndModel(actorUrl) | ||
82 | |||
83 | const verified = isHTTPSignatureVerified(parsed, actor) | ||
84 | if (verified !== true) { | ||
85 | res.sendStatus(403) | ||
86 | return false | ||
87 | } | ||
88 | |||
89 | res.locals.signature = { actor } | ||
90 | |||
91 | return true | ||
92 | } | ||
93 | |||
94 | async function checkJsonLDSignature (req: Request, res: Response) { | ||
95 | const signatureObject: ActivityPubSignature = req.body.signature | ||
96 | |||
97 | if (!signatureObject.creator) { | ||
98 | res.sendStatus(403) | ||
99 | return false | ||
100 | } | ||
101 | |||
102 | const [ creator ] = signatureObject.creator.split('#') | ||
103 | |||
104 | logger.debug('Checking JsonLD signature of actor %s...', creator) | ||
105 | |||
106 | const actor = await getOrCreateActorAndServerAndModel(creator) | ||
107 | const verified = await isJsonLDSignatureVerified(actor, req.body) | ||
108 | |||
109 | if (verified !== true) { | ||
110 | res.sendStatus(403) | ||
111 | return false | ||
112 | } | ||
113 | |||
114 | res.locals.signature = { actor } | ||
115 | |||
116 | return true | ||
117 | } | ||
diff --git a/server/middlewares/validators/activitypub/signature.ts b/server/middlewares/validators/activitypub/signature.ts index 4efe9aafa..be14e92ea 100644 --- a/server/middlewares/validators/activitypub/signature.ts +++ b/server/middlewares/validators/activitypub/signature.ts | |||
@@ -9,10 +9,18 @@ import { logger } from '../../../helpers/logger' | |||
9 | import { areValidationErrors } from '../utils' | 9 | import { areValidationErrors } from '../utils' |
10 | 10 | ||
11 | const signatureValidator = [ | 11 | const signatureValidator = [ |
12 | body('signature.type').custom(isSignatureTypeValid).withMessage('Should have a valid signature type'), | 12 | body('signature.type') |
13 | body('signature.created').custom(isDateValid).withMessage('Should have a valid signature created date'), | 13 | .optional() |
14 | body('signature.creator').custom(isSignatureCreatorValid).withMessage('Should have a valid signature creator'), | 14 | .custom(isSignatureTypeValid).withMessage('Should have a valid signature type'), |
15 | body('signature.signatureValue').custom(isSignatureValueValid).withMessage('Should have a valid signature value'), | 15 | body('signature.created') |
16 | .optional() | ||
17 | .custom(isDateValid).withMessage('Should have a valid signature created date'), | ||
18 | body('signature.creator') | ||
19 | .optional() | ||
20 | .custom(isSignatureCreatorValid).withMessage('Should have a valid signature creator'), | ||
21 | body('signature.signatureValue') | ||
22 | .optional() | ||
23 | .custom(isSignatureValueValid).withMessage('Should have a valid signature value'), | ||
16 | 24 | ||
17 | (req: express.Request, res: express.Response, next: express.NextFunction) => { | 25 | (req: express.Request, res: express.Response, next: express.NextFunction) => { |
18 | logger.debug('Checking activitypub signature parameter', { parameters: { signature: req.body.signature } }) | 26 | logger.debug('Checking activitypub signature parameter', { parameters: { signature: req.body.signature } }) |