Init commit
This commit is contained in:
153
server/core/helpers/peertube-jsonld.ts
Normal file
153
server/core/helpers/peertube-jsonld.ts
Normal file
@@ -0,0 +1,153 @@
|
||||
import { omit } from '@peertube/peertube-core-utils'
|
||||
import { sha256 } from '@peertube/peertube-node-utils'
|
||||
import { createSign, createVerify } from 'crypto'
|
||||
import cloneDeep from 'lodash-es/cloneDeep.js'
|
||||
import { MActor } from '../types/models/index.js'
|
||||
import { getAllContext } from './activity-pub-utils.js'
|
||||
import { jsonld } from './custom-jsonld-signature.js'
|
||||
import { isArray } from './custom-validators/misc.js'
|
||||
import { logger } from './logger.js'
|
||||
import { assertIsInWorkerThread } from './threads.js'
|
||||
|
||||
type ExpressRequest = { body: any }
|
||||
|
||||
export function compactJSONLDAndCheckSignature (fromActor: MActor, req: ExpressRequest): Promise<boolean> {
|
||||
if (req.body.signature.type === 'RsaSignature2017') {
|
||||
return compactJSONLDAndCheckRSA2017Signature(fromActor, req)
|
||||
}
|
||||
|
||||
logger.warn('Unknown JSON LD signature %s.', req.body.signature.type, req.body)
|
||||
|
||||
return Promise.resolve(false)
|
||||
}
|
||||
|
||||
// Backward compatibility with "other" implementations
|
||||
export async function compactJSONLDAndCheckRSA2017Signature (fromActor: MActor, req: ExpressRequest) {
|
||||
const compacted = await jsonldCompact(omit(req.body, [ 'signature' ]))
|
||||
|
||||
fixCompacted(req.body, compacted)
|
||||
|
||||
req.body = { ...compacted, signature: req.body.signature }
|
||||
|
||||
if (compacted['@include']) {
|
||||
logger.warn('JSON-LD @include is not supported')
|
||||
return false
|
||||
}
|
||||
|
||||
const [ documentHash, optionsHash ] = await Promise.all([
|
||||
hashObject(compacted),
|
||||
createSignatureHash(req.body.signature)
|
||||
])
|
||||
|
||||
const toVerify = optionsHash + documentHash
|
||||
|
||||
const verify = createVerify('RSA-SHA256')
|
||||
verify.update(toVerify, 'utf8')
|
||||
|
||||
return verify.verify(fromActor.publicKey, req.body.signature.signatureValue, 'base64')
|
||||
}
|
||||
|
||||
function fixCompacted (original: any, compacted: any) {
|
||||
if (!original || !compacted) return
|
||||
|
||||
for (const [ k, v ] of Object.entries(original)) {
|
||||
if (k === '@context' || k === 'signature') continue
|
||||
if (v === undefined || v === null) continue
|
||||
|
||||
const cv = compacted[k]
|
||||
if (cv === undefined || cv === null) continue
|
||||
|
||||
if (typeof v === 'string') {
|
||||
if (v === 'https://www.w3.org/ns/activitystreams#Public' && cv === 'as:Public') {
|
||||
compacted[k] = v
|
||||
}
|
||||
}
|
||||
|
||||
if (isArray(v) && !isArray(cv)) {
|
||||
compacted[k] = [ cv ]
|
||||
|
||||
for (let i = 0; i < v.length; i++) {
|
||||
if (v[i] === 'https://www.w3.org/ns/activitystreams#Public' && cv[i] === 'as:Public') {
|
||||
compacted[k][i] = v[i]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (typeof v === 'object') {
|
||||
fixCompacted(original[k], compacted[k])
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
export async function signJsonLDObject<T> (options: {
|
||||
byActor: { url: string, privateKey: string }
|
||||
data: T
|
||||
disableWorkerThreadAssertion?: boolean
|
||||
}) {
|
||||
const { byActor, data, disableWorkerThreadAssertion = false } = options
|
||||
|
||||
if (!disableWorkerThreadAssertion) assertIsInWorkerThread()
|
||||
|
||||
const signature = {
|
||||
type: 'RsaSignature2017',
|
||||
creator: byActor.url,
|
||||
created: new Date().toISOString()
|
||||
}
|
||||
|
||||
const [ documentHash, optionsHash ] = await Promise.all([
|
||||
createDocWithoutSignatureHash(data),
|
||||
createSignatureHash(signature)
|
||||
])
|
||||
|
||||
const toSign = optionsHash + documentHash
|
||||
|
||||
const sign = createSign('RSA-SHA256')
|
||||
sign.update(toSign, 'utf8')
|
||||
|
||||
const signatureValue = sign.sign(byActor.privateKey, 'base64')
|
||||
Object.assign(signature, { signatureValue })
|
||||
|
||||
return Object.assign(data, { signature })
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Private
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
async function hashObject (obj: any): Promise<any> {
|
||||
const res = await jsonldNormalize(obj)
|
||||
|
||||
return sha256(res)
|
||||
}
|
||||
|
||||
function jsonldCompact (obj: any) {
|
||||
return (jsonld as any).promises.compact(obj, getAllContext())
|
||||
}
|
||||
|
||||
function jsonldNormalize (obj: any) {
|
||||
return (jsonld as any).promises.normalize(obj, {
|
||||
safe: true,
|
||||
algorithm: 'URDNA2015',
|
||||
format: 'application/n-quads'
|
||||
})
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
function createSignatureHash (signature: any) {
|
||||
return hashObject({
|
||||
'@context': [
|
||||
'https://w3id.org/security/v1',
|
||||
{ RsaSignature2017: 'https://w3id.org/security#RsaSignature2017' }
|
||||
],
|
||||
|
||||
...omit(signature, [ 'type', 'id', 'signatureValue' ])
|
||||
})
|
||||
}
|
||||
|
||||
function createDocWithoutSignatureHash (doc: any) {
|
||||
const docWithoutSignature = cloneDeep(doc)
|
||||
delete docWithoutSignature.signature
|
||||
|
||||
return hashObject(docWithoutSignature)
|
||||
}
|
||||
Reference in New Issue
Block a user