From f7509cbec875ec4ee3201cce08839f2a02676c1c Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Fri, 19 Oct 2018 11:41:19 +0200 Subject: Add HTTP signature check before linked signature It's faster, and will allow us to use RSA signature 2018 (with upstream jsonld-signature module) without too much incompatibilities in the peertube federation --- server/middlewares/activitypub.ts | 94 +++++++++++++++++----- .../validators/activitypub/signature.ts | 16 +++- 2 files changed, 88 insertions(+), 22 deletions(-) (limited to 'server/middlewares') diff --git a/server/middlewares/activitypub.ts b/server/middlewares/activitypub.ts index d7f59be8c..1ec888477 100644 --- a/server/middlewares/activitypub.ts +++ b/server/middlewares/activitypub.ts @@ -2,34 +2,32 @@ import { eachSeries } from 'async' import { NextFunction, Request, RequestHandler, Response } from 'express' import { ActivityPubSignature } from '../../shared' import { logger } from '../helpers/logger' -import { isSignatureVerified } from '../helpers/peertube-crypto' -import { ACCEPT_HEADERS, ACTIVITY_PUB } from '../initializers' +import { isHTTPSignatureVerified, isJsonLDSignatureVerified, parseHTTPSignature } from '../helpers/peertube-crypto' +import { ACCEPT_HEADERS, ACTIVITY_PUB, HTTP_SIGNATURE } from '../initializers' import { getOrCreateActorAndServerAndModel } from '../lib/activitypub' import { ActorModel } from '../models/activitypub/actor' +import { loadActorUrlOrGetFromWebfinger } from '../helpers/webfinger' async function checkSignature (req: Request, res: Response, next: NextFunction) { - const signatureObject: ActivityPubSignature = req.body.signature + try { + const httpSignatureChecked = await checkHttpSignature(req, res) + if (httpSignatureChecked !== true) return - const [ creator ] = signatureObject.creator.split('#') + const actor: ActorModel = res.locals.signature.actor - logger.debug('Checking signature of actor %s...', creator) + // Forwarded activity + const bodyActor = req.body.actor + const bodyActorId = bodyActor && bodyActor.id ? bodyActor.id : bodyActor + if (bodyActorId && bodyActorId !== actor.url) { + const jsonLDSignatureChecked = await checkJsonLDSignature(req, res) + if (jsonLDSignatureChecked !== true) return + } - let actor: ActorModel - try { - actor = await getOrCreateActorAndServerAndModel(creator) + return next() } catch (err) { - logger.warn('Cannot create remote actor %s and check signature.', creator, { err }) + logger.error('Error in ActivityPub signature checker.', err) return res.sendStatus(403) } - - const verified = await isSignatureVerified(actor, req.body) - if (verified === false) return res.sendStatus(403) - - res.locals.signature = { - actor - } - - return next() } function executeIfActivityPub (fun: RequestHandler | RequestHandler[]) { @@ -57,3 +55,63 @@ export { checkSignature, executeIfActivityPub } + +// --------------------------------------------------------------------------- + +async function checkHttpSignature (req: Request, res: Response) { + // FIXME: mastodon does not include the Signature scheme + const sig = req.headers[HTTP_SIGNATURE.HEADER_NAME] as string + if (sig && sig.startsWith('Signature ') === false) req.headers[HTTP_SIGNATURE.HEADER_NAME] = 'Signature ' + sig + + const parsed = parseHTTPSignature(req) + + const keyId = parsed.keyId + if (!keyId) { + res.sendStatus(403) + return false + } + + logger.debug('Checking HTTP signature of actor %s...', keyId) + + let [ actorUrl ] = keyId.split('#') + if (actorUrl.startsWith('acct:')) { + actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, '')) + } + + const actor = await getOrCreateActorAndServerAndModel(actorUrl) + + const verified = isHTTPSignatureVerified(parsed, actor) + if (verified !== true) { + res.sendStatus(403) + return false + } + + res.locals.signature = { actor } + + return true +} + +async function checkJsonLDSignature (req: Request, res: Response) { + const signatureObject: ActivityPubSignature = req.body.signature + + if (!signatureObject.creator) { + res.sendStatus(403) + return false + } + + const [ creator ] = signatureObject.creator.split('#') + + logger.debug('Checking JsonLD signature of actor %s...', creator) + + const actor = await getOrCreateActorAndServerAndModel(creator) + const verified = await isJsonLDSignatureVerified(actor, req.body) + + if (verified !== true) { + res.sendStatus(403) + return false + } + + res.locals.signature = { actor } + + return true +} diff --git a/server/middlewares/validators/activitypub/signature.ts b/server/middlewares/validators/activitypub/signature.ts index 4efe9aafa..be14e92ea 100644 --- a/server/middlewares/validators/activitypub/signature.ts +++ b/server/middlewares/validators/activitypub/signature.ts @@ -9,10 +9,18 @@ import { logger } from '../../../helpers/logger' import { areValidationErrors } from '../utils' const signatureValidator = [ - body('signature.type').custom(isSignatureTypeValid).withMessage('Should have a valid signature type'), - body('signature.created').custom(isDateValid).withMessage('Should have a valid signature created date'), - body('signature.creator').custom(isSignatureCreatorValid).withMessage('Should have a valid signature creator'), - body('signature.signatureValue').custom(isSignatureValueValid).withMessage('Should have a valid signature value'), + body('signature.type') + .optional() + .custom(isSignatureTypeValid).withMessage('Should have a valid signature type'), + body('signature.created') + .optional() + .custom(isDateValid).withMessage('Should have a valid signature created date'), + body('signature.creator') + .optional() + .custom(isSignatureCreatorValid).withMessage('Should have a valid signature creator'), + body('signature.signatureValue') + .optional() + .custom(isSignatureValueValid).withMessage('Should have a valid signature value'), (req: express.Request, res: express.Response, next: express.NextFunction) => { logger.debug('Checking activitypub signature parameter', { parameters: { signature: req.body.signature } }) -- cgit v1.2.3