Check Signature Algorithm

mei23 · Dec 2, 2023 · f1e07f4 · f1e07f4
1 parent 09b401e
commit f1e07f4
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 23 deletions.
diff --git a/package.json b/package.json
@@ -87,7 +87,7 @@
 		"highlight.js": "10.6.0",
 		"html-minifier": "4.0.0",
 		"http-proxy-agent": "5.0.0",
-		"http-signature": "1.3.6",
+		"@peertube/http-signature": "1.7.0",
 		"https-proxy-agent": "5.0.1",
 		"insert-text-at-cursor": "0.3.0",
 		"ip-cidr": "3.0.11",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/@types/http-signature.d.ts b/src/@types/http-signature.d.ts
@@ -1,4 +1,4 @@
-declare module 'http-signature' {
+declare module '@peertube/http-signature' {
 	import { IncomingMessage, ClientRequest } from 'http';
 
 	interface ISignature {

diff --git a/src/queue/index.ts b/src/queue/index.ts
@@ -1,4 +1,4 @@
-import * as httpSignature from 'http-signature';
+import * as httpSignature from '@peertube/http-signature';
 
 import config from '../config';
 import { ILocalUser, User } from '../models/entities/user';

diff --git a/src/queue/processors/inbox.ts b/src/queue/processors/inbox.ts
@@ -1,5 +1,5 @@
 import * as Bull from 'bull';
-import * as httpSignature from 'http-signature';
+import * as httpSignature from '@peertube/http-signature';
 import perform from '../../remote/activitypub/perform';
 import Logger from '../../services/logger';
 import { registerOrFetchInstanceDoc } from '../../services/register-or-fetch-instance-doc';

diff --git a/src/queue/types.ts b/src/queue/types.ts
@@ -1,5 +1,4 @@
-//import { ObjectID } from 'mongodb';
-import * as httpSignature from 'http-signature';
+import * as httpSignature from '@peertube/http-signature';
 import { ILocalUser, User } from '../models/entities/user';
 import { IActivity } from '../remote/activitypub/type';
 

diff --git a/src/server/activitypub.ts b/src/server/activitypub.ts
@@ -3,7 +3,7 @@ import config from '../config';
 import * as coBody from 'co-body';
 import * as crypto from 'crypto';
 import { IActivity } from '../remote/activitypub/type';
-import * as httpSignature from 'http-signature';
+import * as httpSignature from '@peertube/http-signature';
 import Logger from '../services/logger';
 import { inspect } from 'util';
 
@@ -61,6 +61,18 @@ async function inbox(ctx: Router.RouterContext) {
 		return;
 	}
 
+	// Validate signature algorithm
+	if (!signature.algorithm.toLowerCase().match(/^((dsa|rsa|ecdsa)-(sha256|sha384|sha512)|ed25519-sha512|hs2019)$/)) {
+		logger.warn(`inbox: invalid signature algorithm ${signature.algorithm}`);
+		ctx.status = 401;
+		ctx.message = 'Invalid Signature Algorithm';
+		return;
+
+		// hs2019
+		// keyType=ED25519 => ed25519-sha512
+		// keyType=other => (keyType)-sha256
+	}
+
 	// Digestヘッダーの検証
 	const digest = ctx.req.headers.digest;
 

diff --git a/test/ap-request.ts b/test/ap-request.ts
@@ -1,7 +1,7 @@
 import * as assert from 'assert';
 import { genRsaKeyPair } from '../src/misc/gen-key-pair';
 import { createSignedPost, createSignedGet } from '../src/remote/activitypub/ap-request';
-const httpSignature = require('http-signature');
+const httpSignature = require('@peertube/http-signature');
 
 export const buildParsedSignature = (signingString: string, signature: string, algorithm: string) => {
 	return {