Tune Signature Algorithm

mei23 · Dec 2, 2023 · 0e2fc00 · 0e2fc00 · mei23 · Dec 2, 2023
1 parent 230ab7c
commit 0e2fc00
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 25 deletions.
diff --git a/package.json b/package.json
@@ -80,7 +80,7 @@
 		"highlight.js": "10.6.0",
 		"htmlescape": "1.1.1",
 		"http-proxy-agent": "5.0.0",
-		"http-signature": "git+https://github.com/mei23/node-http-signature#v1.6.0-mei",
+		"@peertube/http-signature": "1.7.0",
 		"https-proxy-agent": "5.0.1",
 		"insert-text-at-cursor": "0.3.0",
 		"ioredis": "5.3.2",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/@types/http-signature.d.ts b/src/@types/http-signature.d.ts
@@ -1,4 +1,4 @@
-declare module 'http-signature' {
+declare module '@peertube/http-signature' {
 	import { IncomingMessage, ClientRequest } from 'http';
 
 	interface ISignature {

diff --git a/src/queue/index.ts b/src/queue/index.ts
@@ -1,4 +1,4 @@
-import * as httpSignature from 'http-signature';
+import * as httpSignature from '@peertube/http-signature';
 import config from '../config';
 import { InboxInfo, InboxRequestData, WebpushDeliverJobData } from './types';
 import { deliverQueue, webpushDeliverQueue, inboxQueue, inboxLazyQueue, dbQueue } from './queues';

diff --git a/src/queue/processors/inbox.ts b/src/queue/processors/inbox.ts
@@ -1,5 +1,5 @@
 import * as Bull from 'bull';
-import * as httpSignature from 'http-signature';
+import * as httpSignature from '@peertube/http-signature';
 import { IRemoteUser } from '../../models/user';
 import perform from '../../remote/activitypub/perform';
 import { resolvePerson } from '../../remote/activitypub/models/person';

diff --git a/src/queue/types.ts b/src/queue/types.ts
@@ -1,4 +1,4 @@
-import * as httpSignature from 'http-signature';
+import * as httpSignature from '@peertube/http-signature';
 import { IActivity } from '../remote/activitypub/type';
 import * as webpush from 'web-push';
 

diff --git a/src/server/activitypub.ts b/src/server/activitypub.ts
@@ -2,7 +2,7 @@ import { ObjectID } from 'mongodb';
 import * as Router from '@koa/router';
 import * as coBody from 'co-body';
 import * as crypto from 'crypto';
-import * as httpSignature from 'http-signature';
+import * as httpSignature from '@peertube/http-signature';
 
 import { renderActivity } from '../remote/activitypub/renderer';
 import Note, { INote } from '../models/note';
@@ -71,6 +71,18 @@ async function inbox(ctx: Router.RouterContext) {
 		return;
 	}
 
+	// Validate signature algorithm
+	if (!signature.algorithm.toLowerCase().match(/^((dsa|rsa|ecdsa)-(sha256|sha384|sha512)|ed25519-sha512|hs2019)$/)) {
+		logger.warn(`inbox: invalid signature algorithm ${signature.algorithm}`);
+		ctx.status = 401;
+		ctx.message = 'Invalid Signature Algorithm';
+		return;
+
+		// hs2019
+		// keyType=ED25519 => ed25519-sha512
+		// keyType=other => (keyType)-sha256
+	}
+
 	// Digestヘッダーの検証
 	const digest = ctx.req.headers.digest;