Request Body의 필드마다 서명하지 않고, 데이터 전체에 대해 서명하도록 개선

src/routes/(fullscreen)/key/export/service.ts

@@ -1,6 +1,6 @@
 import { callAPI } from "$lib/hooks";
 import { storeRSAKey } from "$lib/indexedDB";
-import { encodeToBase64, encryptRSAPlaintext, signRSAMessage } from "$lib/modules/crypto";
+import { encodeToBase64, encryptRSAPlaintext, signRequest } from "$lib/modules/crypto";
 import type { ClientKeys } from "$lib/stores";
 
 export { requestTokenUpgrade } from "$lib/services/auth";
@@ -47,16 +47,17 @@ export const requestInitialMekRegistration = async (
   signKey: CryptoKey,
 ) => {
   const mekDraftEncrypted = await encryptRSAPlaintext(mekDraft, encryptKey);
-  const mekDraftEncryptedSigned = await signRSAMessage(mekDraftEncrypted, signKey);
   const res = await callAPI("/api/mek/register/initial", {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
     },
-    body: JSON.stringify({
-      mek: encodeToBase64(mekDraftEncrypted),
-      sigMek: encodeToBase64(mekDraftEncryptedSigned),
-    }),
+    body: await signRequest(
+      {
+        mek: encodeToBase64(mekDraftEncrypted),
+      },
+      signKey,
+    ),
   });
   return res.ok || res.status === 409;
 };

src/routes/api/mek/register/+server.ts

@@ -1,33 +1,31 @@
-import { error, text } from "@sveltejs/kit";
+import { text } from "@sveltejs/kit";
 import { z } from "zod";
 import { authorize } from "$lib/server/modules/auth";
+import { parseSignedRequest } from "$lib/server/modules/crypto";
 import { registerNewActiveMek } from "$lib/server/services/mek";
 import type { RequestHandler } from "@sveltejs/kit";
 
 export const POST: RequestHandler = async ({ request, cookies }) => {
   const { userId, clientId } = await authorize(cookies, "activeClient");
-
-  const zodRes = z
-    .object({
+  const { meks } = await parseSignedRequest(
+    clientId,
+    await request.json(),
+    z.object({
       meks: z.array(
         z.object({
           clientId: z.number().int().positive(),
           mek: z.string().base64().nonempty(),
-          sigMek: z.string().base64().nonempty(),
         }),
       ),
-    })
-    .safeParse(await request.json());
-  if (!zodRes.success) error(400, "Invalid request body");
-  const { meks } = zodRes.data;
+    }),
+  );
 
   await registerNewActiveMek(
     userId,
     clientId,
-    meks.map(({ clientId, mek, sigMek }) => ({
+    meks.map(({ clientId, mek }) => ({
       clientId,
       encMek: mek,
-      sigEncMek: sigMek,
     })),
   );
   return text("MEK registered", { headers: { "Content-Type": "text/plain" } });

src/routes/api/mek/register/initial/+server.ts

@@ -1,6 +1,7 @@
 import { error, text } from "@sveltejs/kit";
 import { z } from "zod";
 import { authenticate } from "$lib/server/modules/auth";
+import { parseSignedRequest } from "$lib/server/modules/crypto";
 import { registerInitialActiveMek } from "$lib/server/services/mek";
 import type { RequestHandler } from "@sveltejs/kit";
 
@@ -10,15 +11,14 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
     error(403, "Forbidden");
   }
 
-  const zodRes = z
-    .object({
+  const { mek } = await parseSignedRequest(
+    clientId,
+    await request.json(),
+    z.object({
       mek: z.string().base64().nonempty(),
-      sigMek: z.string().base64().nonempty(),
-    })
-    .safeParse(await request.json());
-  if (!zodRes.success) error(400, "Invalid request body");
-  const { mek, sigMek } = zodRes.data;
+    }),
+  );
 
-  await registerInitialActiveMek(userId, clientId, mek, sigMek);
+  await registerInitialActiveMek(userId, clientId, mek);
   return text("MEK registered", { headers: { "Content-Type": "text/plain" } });
 };