From e08ec7a723724c247d9bbcdbf157da08d3ba31a7 Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Fri, 6 May 2022 15:11:54 +0200 Subject: Handle HTTP signature draft 11 --- server/helpers/peertube-crypto.ts | 15 +++++++++++---- server/initializers/constants.ts | 6 +----- server/tests/api/activitypub/security.ts | 11 +++++++++++ 3 files changed, 23 insertions(+), 9 deletions(-) (limited to 'server') diff --git a/server/helpers/peertube-crypto.ts b/server/helpers/peertube-crypto.ts index b8f7c782a..1a7ee24a7 100644 --- a/server/helpers/peertube-crypto.ts +++ b/server/helpers/peertube-crypto.ts @@ -51,11 +51,18 @@ function isHTTPSignatureVerified (httpSignatureParsed: any, actor: MActor): bool } function parseHTTPSignature (req: Request, clockSkew?: number) { - const headers = req.method === 'POST' - ? HTTP_SIGNATURE.REQUIRED_HEADERS.POST - : HTTP_SIGNATURE.REQUIRED_HEADERS.ALL + const requiredHeaders = req.method === 'POST' + ? [ '(request-target)', 'host', 'digest' ] + : [ '(request-target)', 'host' ] - return httpSignature.parse(req, { clockSkew, headers }) + const parsed = httpSignature.parse(req, { clockSkew, headers: requiredHeaders }) + + const parsedHeaders = parsed.params.headers + if (!parsedHeaders.includes('date') && !parsedHeaders.includes('(created)')) { + throw new Error(`date or (created) must be included in signature`) + } + + return parsed } // JSONLD diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts index dca792b1b..44f676a15 100644 --- a/server/initializers/constants.ts +++ b/server/initializers/constants.ts @@ -589,11 +589,7 @@ const ACTIVITY_PUB_ACTOR_TYPES: { [ id: string ]: ActivityPubActorType } = { const HTTP_SIGNATURE = { HEADER_NAME: 'signature', ALGORITHM: 'rsa-sha256', - HEADERS_TO_SIGN: [ '(request-target)', 'host', 'date', 'digest' ], - REQUIRED_HEADERS: { - ALL: [ '(request-target)', 'host', 'date' ], - POST: [ '(request-target)', 'host', 'date', 'digest' ] - }, + HEADERS_TO_SIGN: [ '(request-target)', '(created)', 'host', 'date', 'digest' ], CLOCK_SKEW_SECONDS: 1800 } diff --git a/server/tests/api/activitypub/security.ts b/server/tests/api/activitypub/security.ts index a070517b8..95e2aebb4 100644 --- a/server/tests/api/activitypub/security.ts +++ b/server/tests/api/activitypub/security.ts @@ -147,6 +147,17 @@ describe('Test ActivityPub security', function () { } }) + it('Should succeed with a valid HTTP signature draft 11 (without date but with (created))', async function () { + const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') + const headers = buildGlobalHeaders(body) + + const signatureOptions = baseHttpSignature() + signatureOptions.headers = [ '(request-target)', '(created)', 'host', 'digest' ] + + const { statusCode } = await makePOSTAPRequest(url, body, signatureOptions, headers) + expect(statusCode).to.equal(HttpStatusCode.NO_CONTENT_204) + }) + it('Should succeed with a valid HTTP signature', async function () { const body = activityPubContextify(getAnnounceWithoutContext(servers[1]), 'Announce') const headers = buildGlobalHeaders(body) -- cgit v1.2.3