sendnrw/misskey
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use @misskey-dev/node-http-message-signatures

Browse Source
This commit is contained in:
tamaina
2024-02-29 21:05:31 +00:00
parent a4e7d6940b
commit a1e6cb02b8
8 changed files with 45 additions and 211 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
packages/backend/src/@types/http-signature.d.ts vendored
View File

@@ -1,82 +0,0 @@
/*
* SPDX-FileCopyrightText: syuilo and misskey-project
* SPDX-License-Identifier: AGPL-3.0-only
*/
declare module '@peertube/http-signature' {
import type { IncomingMessage, ClientRequest } from 'node:http';
interface ISignature {
keyId: string;
algorithm: string;
headers: string[];
signature: string;
}
interface IOptions {
headers?: string[];
algorithm?: string;
strict?: boolean;
authorizationHeaderName?: string;
}
interface IParseRequestOptions extends IOptions {
clockSkew?: number;
}
interface IParsedSignature {
scheme: string;
params: ISignature;
signingString: string;
algorithm: string;
keyId: string;
}
type RequestSignerConstructorOptions =
IRequestSignerConstructorOptionsFromProperties |
IRequestSignerConstructorOptionsFromFunction;
interface IRequestSignerConstructorOptionsFromProperties {
keyId: string;
key: string | Buffer;
algorithm?: string;
}
interface IRequestSignerConstructorOptionsFromFunction {
sign?: (data: string, cb: (err: any, sig: ISignature) => void) => void;
}
class RequestSigner {
constructor(options: RequestSignerConstructorOptions);
public writeHeader(header: string, value: string): string;
public writeDateHeader(): string;
public writeTarget(method: string, path: string): void;
public sign(cb: (err: any, authz: string) => void): void;
}
interface ISignRequestOptions extends IOptions {
keyId: string;
key: string;
httpVersion?: string;
}
export function parse(request: IncomingMessage, options?: IParseRequestOptions): IParsedSignature;
export function parseRequest(request: IncomingMessage, options?: IParseRequestOptions): IParsedSignature;
export function sign(request: ClientRequest, options: ISignRequestOptions): boolean;
export function signRequest(request: ClientRequest, options: ISignRequestOptions): boolean;
export function createSigner(): RequestSigner;
export function isSigner(obj: any): obj is RequestSigner;
export function sshKeyToPEM(key: string): string;
export function sshKeyFingerprint(key: string): string;
export function pemToRsaSSHKey(pem: string, comment: string): string;
export function verify(parsedSignature: IParsedSignature, pubkey: string | Buffer): boolean;
export function verifySignature(parsedSignature: IParsedSignature, pubkey: string | Buffer): boolean;
export function verifyHMAC(parsedSignature: IParsedSignature, secret: string): boolean;
}

6
packages/backend/src/core/QueueService.ts
View File

@@ -12,11 +12,11 @@ import type { Config } from '@/config.js';
import { DI } from '@/di-symbols.js';
import { bindThis } from '@/decorators.js';
import type { Antenna } from '@/server/api/endpoints/i/import-antennas.js';
import { ApRequestCreator } from '@/core/activitypub/ApRequestService.js';
import type { DbQueue, DeliverQueue, EndedPollNotificationQueue, InboxQueue, ObjectStorageQueue, RelationshipQueue, SystemQueue, WebhookDeliverQueue } from './QueueModule.js';
import type { DbJobData, DeliverJobData, RelationshipJobData, ThinUser } from '../queue/types.js';
import type httpSignature from '@peertube/http-signature';
import type * as Bull from 'bullmq';
import { ApRequestCreator } from '@/core/activitypub/ApRequestService.js';
import type { ParsedSignature } from '@misskey-dev/node-http-message-signatures';
@Injectable()
export class QueueService {
@@ -136,7 +136,7 @@ export class QueueService {
}
@bindThis
public inbox(activity: IActivity, signature: httpSignature.IParsedSignature) {
public inbox(activity: IActivity, signature: ParsedSignature) {
const data = {
activity: activity,
signature,

6
packages/backend/src/queue/processors/InboxProcessorService.ts
View File

@@ -5,8 +5,8 @@
import { URL } from 'node:url';
import { Injectable } from '@nestjs/common';
import httpSignature from '@peertube/http-signature';
import * as Bull from 'bullmq';
import { verifyDraftSignature } from '@misskey-dev/node-http-message-signatures';
import type Logger from '@/logger.js';
import { MetaService } from '@/core/MetaService.js';
import { FederatedInstanceService } from '@/core/FederatedInstanceService.js';
@@ -51,7 +51,7 @@ export class InboxProcessorService {
@bindThis
public async process(job: Bull.Job<InboxJobData>): Promise<string> {
const signature = job.data.signature; // HTTP-signature
const signature = 'version' in job.data.signature ? job.data.signature.value : job.data.signature;
const activity = job.data.activity;
//#region Log
@@ -103,7 +103,7 @@ export class InboxProcessorService {
}
// HTTP-Signatureの検証
const httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem);
const httpSignatureValidated = verifyDraftSignature(signature, authUser.key.keyPem);
// また、signatureのsignerは、activity.actorと一致する必要がある
if (!httpSignatureValidated || authUser.user.uri !== activity.actor) {

20
packages/backend/src/queue/types.ts
View File

@@ -9,7 +9,23 @@ import type { MiNote } from '@/models/Note.js';
import type { MiUser } from '@/models/User.js';
import type { MiWebhook } from '@/models/Webhook.js';
import type { IActivity } from '@/core/activitypub/type.js';
import type httpSignature from '@peertube/http-signature';
import type { ParsedSignature } from '@misskey-dev/node-http-message-signatures';
/**
* @peertube/http-signature 時代の古いデータにも対応しておく
*/
export interface OldParsedSignature {
scheme: 'Signature';
params: {
keyId: string;
algorithm: string;
headers: string[];
signature: string;
};
signingString: string;
algorithm: string;
keyId: string;
}
export type DeliverJobData = {
/** Actor */
@@ -26,7 +42,7 @@ export type DeliverJobData = {
export type InboxJobData = {
activity: IActivity;
signature: httpSignature.IParsedSignature;
signature: ParsedSignature | OldParsedSignature;
};
export type RelationshipJobData = {

60
packages/backend/src/server/ActivityPubServerService.ts
View File

@@ -7,7 +7,7 @@ import * as crypto from 'node:crypto';
import { IncomingMessage } from 'node:http';
import { Inject, Injectable } from '@nestjs/common';
import fastifyAccepts from '@fastify/accepts';
import httpSignature from '@peertube/http-signature';
import { verifyDigestHeader, parseRequestSignature } from '@misskey-dev/node-http-message-signatures';
import { Brackets, In, IsNull, LessThan, Not } from 'typeorm';
import accepts from 'accepts';
import vary from 'vary';
@@ -103,63 +103,29 @@ export class ActivityPubServerService {
private inbox(request: FastifyRequest, reply: FastifyReply) {
let signature;
const verifyDigest = verifyDigestHeader(request.raw, request.rawBody || '', true);
if (!verifyDigest) {
reply.code(401);
return;
}
try {
signature = httpSignature.parseRequest(request.raw, { 'headers': [] });
signature = parseRequestSignature(request.raw);
} catch (e) {
reply.code(401);
return;
}
if (signature.params.headers.indexOf('host') === -1
|| request.headers.host !== this.config.host) {
// Host not specified or not match.
if (!signature) {
reply.code(401);
return;
}
if (signature.params.headers.indexOf('digest') === -1) {
// Digest not found.
if (signature.value.params.headers.indexOf('host') === -1
|| request.headers.host !== this.config.host) {
// Host not specified or not match.
reply.code(401);
} else {
const digest = request.headers.digest;
if (typeof digest !== 'string') {
// Huh?
reply.code(401);
return;
}
const re = /^([a-zA-Z0-9\-]+)=(.+)$/;
const match = digest.match(re);
if (match == null) {
// Invalid digest
reply.code(401);
return;
}
const algo = match[1].toUpperCase();
const digestValue = match[2];
if (algo !== 'SHA-256') {
// Unsupported digest algorithm
reply.code(401);
return;
}
if (request.rawBody == null) {
// Bad request
reply.code(400);
return;
}
const hash = crypto.createHash('sha256').update(request.rawBody).digest('base64');
if (hash !== digestValue) {
// Invalid digest
reply.code(401);
return;
}
return;
}
this.queueService.inbox(request.body as IActivity, signature);