mirror of
https://github.com/kmc7468/arkvault.git
synced 2025-12-16 06:58:46 +00:00
Request Body의 필드마다 서명하지 않고, 데이터 전체에 대해 서명하도록 개선
This commit is contained in:
static
@@ -1,5 +1,8 @@
|
||||
import { error } from "@sveltejs/kit";
|
||||
import { constants, randomBytes, createPublicKey, publicEncrypt, verify } from "crypto";
|
||||
import { promisify } from "util";
|
||||
import { z } from "zod";
|
||||
import { getClient } from "$lib/server/db/client";
|
||||
|
||||
const makePubKeyToPem = (pubKey: string) =>
|
||||
`-----BEGIN PUBLIC KEY-----\n${pubKey}\n-----END PUBLIC KEY-----`;
|
||||
@@ -17,10 +20,10 @@ export const encryptAsymmetric = (data: Buffer, encPubKey: string) => {
|
||||
return publicEncrypt({ key: makePubKeyToPem(encPubKey), oaepHash: "sha256" }, data);
|
||||
};
|
||||
|
||||
export const verifySignature = (data: string, signature: string, sigPubKey: string) => {
|
||||
export const verifySignature = (data: Buffer, signature: string, sigPubKey: string) => {
|
||||
return verify(
|
||||
"rsa-sha256",
|
||||
Buffer.from(data, "base64"),
|
||||
data,
|
||||
{
|
||||
key: makePubKeyToPem(sigPubKey),
|
||||
padding: constants.RSA_PKCS1_PSS_PADDING,
|
||||
@@ -34,3 +37,31 @@ export const generateChallenge = async (length: number, encPubKey: string) => {
|
||||
const challenge = encryptAsymmetric(answer, encPubKey);
|
||||
return { answer, challenge };
|
||||
};
|
||||
|
||||
export const parseSignedRequest = async <T extends z.ZodTypeAny>(
|
||||
clientId: number,
|
||||
data: unknown,
|
||||
schema: T,
|
||||
) => {
|
||||
const zodRes = z
|
||||
.object({
|
||||
data: schema,
|
||||
signature: z.string().base64().nonempty(),
|
||||
})
|
||||
.safeParse(data);
|
||||
if (!zodRes.success) error(400, "Invalid request body");
|
||||
|
||||
const { data: parsedData, signature } = zodRes.data;
|
||||
if (!parsedData) error(500, "Invalid request body");
|
||||
|
||||
const client = await getClient(clientId);
|
||||
if (!client) {
|
||||
error(500, "Invalid access token");
|
||||
} else if (
|
||||
!verifySignature(Buffer.from(JSON.stringify(parsedData)), signature, client.sigPubKey)
|
||||
) {
|
||||
error(400, "Invalid signature");
|
||||
}
|
||||
|
||||
return parsedData;
|
||||
};
|
||||
|
||||
@@ -149,7 +149,7 @@ export const upgradeToken = async (
|
||||
const client = await getClient(challenge.clientId);
|
||||
if (!client) {
|
||||
error(500, "Invalid challenge answer");
|
||||
} else if (!verifySignature(answer, sigAnswer, client.sigPubKey)) {
|
||||
} else if (!verifySignature(Buffer.from(answer, "base64"), sigAnswer, client.sigPubKey)) {
|
||||
error(401, "Invalid challenge answer signature");
|
||||
}
|
||||
|
||||
|
||||
@@ -104,7 +104,7 @@ export const verifyUserClient = async (
|
||||
const client = await getClient(challenge.clientId);
|
||||
if (!client) {
|
||||
error(500, "Invalid challenge answer");
|
||||
} else if (!verifySignature(answer, sigAnswer, client.sigPubKey)) {
|
||||
} else if (!verifySignature(Buffer.from(answer, "base64"), sigAnswer, client.sigPubKey)) {
|
||||
error(401, "Invalid challenge answer signature");
|
||||
}
|
||||
|
||||
|
||||
@@ -1,18 +1,16 @@
|
||||
import { error } from "@sveltejs/kit";
|
||||
import { getAllUserClients, getClient, setUserClientStateToActive } from "$lib/server/db/client";
|
||||
import { getAllUserClients, setUserClientStateToActive } from "$lib/server/db/client";
|
||||
import {
|
||||
getAllValidClientMeks,
|
||||
registerInitialMek,
|
||||
registerActiveMek,
|
||||
getNextActiveMekVersion,
|
||||
} from "$lib/server/db/mek";
|
||||
import { verifySignature } from "$lib/server/modules/crypto";
|
||||
import { isInitialMekNeeded } from "$lib/server/modules/mek";
|
||||
|
||||
interface NewClientMek {
|
||||
clientId: number;
|
||||
encMek: string;
|
||||
sigEncMek: string;
|
||||
}
|
||||
|
||||
export const getClientMekList = async (userId: number, clientId: number) => {
|
||||
@@ -30,19 +28,11 @@ export const registerInitialActiveMek = async (
|
||||
userId: number,
|
||||
createdBy: number,
|
||||
encMek: string,
|
||||
sigEncMek: string,
|
||||
) => {
|
||||
if (!(await isInitialMekNeeded(userId))) {
|
||||
error(409, "Initial MEK already registered");
|
||||
}
|
||||
|
||||
const client = await getClient(createdBy);
|
||||
if (!client) {
|
||||
error(500, "Invalid access token");
|
||||
} else if (!verifySignature(encMek, sigEncMek, client.sigPubKey)) {
|
||||
error(400, "Invalid signature");
|
||||
}
|
||||
|
||||
await registerInitialMek(userId, createdBy, encMek);
|
||||
await setUserClientStateToActive(userId, createdBy);
|
||||
};
|
||||
@@ -63,17 +53,6 @@ export const registerNewActiveMek = async (
|
||||
error(400, "Invalid key list");
|
||||
}
|
||||
|
||||
const client = await getClient(createdBy);
|
||||
if (!client) {
|
||||
error(500, "Invalid access token");
|
||||
} else if (
|
||||
!clientMeks.every(({ encMek, sigEncMek }) =>
|
||||
verifySignature(encMek, sigEncMek, client.sigPubKey),
|
||||
)
|
||||
) {
|
||||
error(400, "Invalid signature");
|
||||
}
|
||||
|
||||
const newMekVersion = await getNextActiveMekVersion(userId);
|
||||
await registerActiveMek(userId, newMekVersion, createdBy, clientMeks);
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user