kmc7468/arkvault
1
0
Fork 0
mirror of https://github.com/kmc7468/arkvault.git synced 2025-12-14 22:08:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Request Body의 필드마다 서명하지 않고, 데이터 전체에 대해 서명하도록 개선

Browse Source
This commit is contained in:
static
2024-12-31 09:32:37 +09:00
parent 5c535d1191
commit 0d00e2476a
10 changed files with 73 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/lib/modules/crypto.ts
View File

@@ -45,7 +45,7 @@ export const exportRSAKeyToBase64 = async (key: CryptoKey) => {
return encodeToBase64((await exportRSAKey(key)).key); return encodeToBase64((await exportRSAKey(key)).key);
}; };
export const encryptRSAPlaintext = async (plaintext: ArrayBuffer, publicKey: CryptoKey) => { export const encryptRSAPlaintext = async (plaintext: BufferSource, publicKey: CryptoKey) => {
return await window.crypto.subtle.encrypt( return await window.crypto.subtle.encrypt(
{ {
name: "RSA-OAEP", name: "RSA-OAEP",
@@ -55,7 +55,7 @@ export const encryptRSAPlaintext = async (plaintext: ArrayBuffer, publicKey: Cry
); );
}; };
export const decryptRSACiphertext = async (ciphertext: ArrayBuffer, privateKey: CryptoKey) => { export const decryptRSACiphertext = async (ciphertext: BufferSource, privateKey: CryptoKey) => {
return await window.crypto.subtle.decrypt( return await window.crypto.subtle.decrypt(
{ {
name: "RSA-OAEP", name: "RSA-OAEP",
@@ -65,7 +65,7 @@ export const decryptRSACiphertext = async (ciphertext: ArrayBuffer, privateKey:
); );
}; };
export const signRSAMessage = async (message: ArrayBuffer, privateKey: CryptoKey) => { export const signRSAMessage = async (message: BufferSource, privateKey: CryptoKey) => {
return await window.crypto.subtle.sign( return await window.crypto.subtle.sign(
{ {
name: "RSA-PSS", name: "RSA-PSS",
@@ -100,3 +100,12 @@ export const makeAESKeyNonextractable = async (key: CryptoKey) => {
export const exportAESKey = async (key: CryptoKey) => { export const exportAESKey = async (key: CryptoKey) => {
return await window.crypto.subtle.exportKey("raw", key); return await window.crypto.subtle.exportKey("raw", key);
}; };
export const signRequest = async <T>(data: T, privateKey: CryptoKey) => {
const dataBuffer = new TextEncoder().encode(JSON.stringify(data));
const signature = await signRSAMessage(dataBuffer, privateKey);
return JSON.stringify({
data,
signature: encodeToBase64(signature),
});
};

35
src/lib/server/modules/crypto.ts
View File

@@ -1,5 +1,8 @@
import { error } from "@sveltejs/kit";
import { constants, randomBytes, createPublicKey, publicEncrypt, verify } from "crypto"; import { constants, randomBytes, createPublicKey, publicEncrypt, verify } from "crypto";
import { promisify } from "util"; import { promisify } from "util";
import { z } from "zod";
import { getClient } from "$lib/server/db/client";
const makePubKeyToPem = (pubKey: string) => const makePubKeyToPem = (pubKey: string) =>
`-----BEGIN PUBLIC KEY-----\n${pubKey}\n-----END PUBLIC KEY-----`; `-----BEGIN PUBLIC KEY-----\n${pubKey}\n-----END PUBLIC KEY-----`;
@@ -17,10 +20,10 @@ export const encryptAsymmetric = (data: Buffer, encPubKey: string) => {
return publicEncrypt({ key: makePubKeyToPem(encPubKey), oaepHash: "sha256" }, data); return publicEncrypt({ key: makePubKeyToPem(encPubKey), oaepHash: "sha256" }, data);
}; };
export const verifySignature = (data: string, signature: string, sigPubKey: string) => { export const verifySignature = (data: Buffer, signature: string, sigPubKey: string) => {
return verify( return verify(
"rsa-sha256", "rsa-sha256",
Buffer.from(data, "base64"), data,
{ {
key: makePubKeyToPem(sigPubKey), key: makePubKeyToPem(sigPubKey),
padding: constants.RSA_PKCS1_PSS_PADDING, padding: constants.RSA_PKCS1_PSS_PADDING,
@@ -34,3 +37,31 @@ export const generateChallenge = async (length: number, encPubKey: string) => {
const challenge = encryptAsymmetric(answer, encPubKey); const challenge = encryptAsymmetric(answer, encPubKey);
return { answer, challenge }; return { answer, challenge };
}; };
export const parseSignedRequest = async <T extends z.ZodTypeAny>(
clientId: number,
data: unknown,
schema: T,
) => {
const zodRes = z
.object({
data: schema,
signature: z.string().base64().nonempty(),
})
.safeParse(data);
if (!zodRes.success) error(400, "Invalid request body");
const { data: parsedData, signature } = zodRes.data;
if (!parsedData) error(500, "Invalid request body");
const client = await getClient(clientId);
if (!client) {
error(500, "Invalid access token");
} else if (
!verifySignature(Buffer.from(JSON.stringify(parsedData)), signature, client.sigPubKey)
) {
error(400, "Invalid signature");
}
return parsedData;
};

2
src/lib/server/services/auth.ts
View File

@@ -149,7 +149,7 @@ export const upgradeToken = async (
const client = await getClient(challenge.clientId); const client = await getClient(challenge.clientId);
if (!client) { if (!client) {
error(500, "Invalid challenge answer"); error(500, "Invalid challenge answer");
} else if (!verifySignature(answer, sigAnswer, client.sigPubKey)) { } else if (!verifySignature(Buffer.from(answer, "base64"), sigAnswer, client.sigPubKey)) {
error(401, "Invalid challenge answer signature"); error(401, "Invalid challenge answer signature");
} }

2
src/lib/server/services/client.ts
View File

@@ -104,7 +104,7 @@ export const verifyUserClient = async (
const client = await getClient(challenge.clientId); const client = await getClient(challenge.clientId);
if (!client) { if (!client) {
error(500, "Invalid challenge answer"); error(500, "Invalid challenge answer");
} else if (!verifySignature(answer, sigAnswer, client.sigPubKey)) { } else if (!verifySignature(Buffer.from(answer, "base64"), sigAnswer, client.sigPubKey)) {
error(401, "Invalid challenge answer signature"); error(401, "Invalid challenge answer signature");
} }

23
src/lib/server/services/mek.ts
View File

@@ -1,18 +1,16 @@
import { error } from "@sveltejs/kit"; import { error } from "@sveltejs/kit";
import { getAllUserClients, getClient, setUserClientStateToActive } from "$lib/server/db/client"; import { getAllUserClients, setUserClientStateToActive } from "$lib/server/db/client";
import { import {
getAllValidClientMeks, getAllValidClientMeks,
registerInitialMek, registerInitialMek,
registerActiveMek, registerActiveMek,
getNextActiveMekVersion, getNextActiveMekVersion,
} from "$lib/server/db/mek"; } from "$lib/server/db/mek";
import { verifySignature } from "$lib/server/modules/crypto";
import { isInitialMekNeeded } from "$lib/server/modules/mek"; import { isInitialMekNeeded } from "$lib/server/modules/mek";
interface NewClientMek { interface NewClientMek {
clientId: number; clientId: number;
encMek: string; encMek: string;
sigEncMek: string;
} }
export const getClientMekList = async (userId: number, clientId: number) => { export const getClientMekList = async (userId: number, clientId: number) => {
@@ -30,19 +28,11 @@ export const registerInitialActiveMek = async (
userId: number, userId: number,
createdBy: number, createdBy: number,
encMek: string, encMek: string,
sigEncMek: string,
) => { ) => {
if (!(await isInitialMekNeeded(userId))) { if (!(await isInitialMekNeeded(userId))) {
error(409, "Initial MEK already registered"); error(409, "Initial MEK already registered");
} }
const client = await getClient(createdBy);
if (!client) {
error(500, "Invalid access token");
} else if (!verifySignature(encMek, sigEncMek, client.sigPubKey)) {
error(400, "Invalid signature");
}
await registerInitialMek(userId, createdBy, encMek); await registerInitialMek(userId, createdBy, encMek);
await setUserClientStateToActive(userId, createdBy); await setUserClientStateToActive(userId, createdBy);
}; };
@@ -63,17 +53,6 @@ export const registerNewActiveMek = async (
error(400, "Invalid key list"); error(400, "Invalid key list");
} }
const client = await getClient(createdBy);
if (!client) {
error(500, "Invalid access token");
} else if (
!clientMeks.every(({ encMek, sigEncMek }) =>
verifySignature(encMek, sigEncMek, client.sigPubKey),
)
) {
error(400, "Invalid signature");
}
const newMekVersion = await getNextActiveMekVersion(userId); const newMekVersion = await getNextActiveMekVersion(userId);
await registerActiveMek(userId, newMekVersion, createdBy, clientMeks); await registerActiveMek(userId, newMekVersion, createdBy, clientMeks);
}; };

2
src/lib/services/key.ts
View File

@@ -28,7 +28,7 @@ export const requestClientRegistration = async (
const answer = await decryptRSACiphertext(decodeFromBase64(challenge), decryptKey); const answer = await decryptRSACiphertext(decodeFromBase64(challenge), decryptKey);
const sigAnswer = await signRSAMessage(answer, signKey); const sigAnswer = await signRSAMessage(answer, signKey);
res = await callAPI("/api/client/verify", { res = await callAPI("/api/client/register/verify", {
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json", "Content-Type": "application/json",

13
src/routes/(fullscreen)/key/export/service.ts
View File

@@ -1,6 +1,6 @@
import { callAPI } from "$lib/hooks"; import { callAPI } from "$lib/hooks";
import { storeRSAKey } from "$lib/indexedDB"; import { storeRSAKey } from "$lib/indexedDB";
import { encodeToBase64, encryptRSAPlaintext, signRSAMessage } from "$lib/modules/crypto"; import { encodeToBase64, encryptRSAPlaintext, signRequest } from "$lib/modules/crypto";
import type { ClientKeys } from "$lib/stores"; import type { ClientKeys } from "$lib/stores";
export { requestTokenUpgrade } from "$lib/services/auth"; export { requestTokenUpgrade } from "$lib/services/auth";
@@ -47,16 +47,17 @@ export const requestInitialMekRegistration = async (
signKey: CryptoKey, signKey: CryptoKey,
) => { ) => {
const mekDraftEncrypted = await encryptRSAPlaintext(mekDraft, encryptKey); const mekDraftEncrypted = await encryptRSAPlaintext(mekDraft, encryptKey);
const mekDraftEncryptedSigned = await signRSAMessage(mekDraftEncrypted, signKey);
const res = await callAPI("/api/mek/register/initial", { const res = await callAPI("/api/mek/register/initial", {
method: "POST", method: "POST",
headers: { headers: {
"Content-Type": "application/json", "Content-Type": "application/json",
}, },
body: JSON.stringify({ body: await signRequest(
mek: encodeToBase64(mekDraftEncrypted), {
sigMek: encodeToBase64(mekDraftEncryptedSigned), mek: encodeToBase64(mekDraftEncrypted),
}), },
signKey,
),
}); });
return res.ok || res.status === 409; return res.ok || res.status === 409;
}; };

0
src/routes/api/client/verify/+server.ts → src/routes/api/client/register/verify/+server.ts
View File

20
src/routes/api/mek/register/+server.ts
View File

@@ -1,33 +1,31 @@
import { error, text } from "@sveltejs/kit"; import { text } from "@sveltejs/kit";
import { z } from "zod"; import { z } from "zod";
import { authorize } from "$lib/server/modules/auth"; import { authorize } from "$lib/server/modules/auth";
import { parseSignedRequest } from "$lib/server/modules/crypto";
import { registerNewActiveMek } from "$lib/server/services/mek"; import { registerNewActiveMek } from "$lib/server/services/mek";
import type { RequestHandler } from "@sveltejs/kit"; import type { RequestHandler } from "@sveltejs/kit";
export const POST: RequestHandler = async ({ request, cookies }) => { export const POST: RequestHandler = async ({ request, cookies }) => {
const { userId, clientId } = await authorize(cookies, "activeClient"); const { userId, clientId } = await authorize(cookies, "activeClient");
const { meks } = await parseSignedRequest(
const zodRes = z clientId,
.object({ await request.json(),
z.object({
meks: z.array( meks: z.array(
z.object({ z.object({
clientId: z.number().int().positive(), clientId: z.number().int().positive(),
mek: z.string().base64().nonempty(), mek: z.string().base64().nonempty(),
sigMek: z.string().base64().nonempty(),
}), }),
), ),
}) }),
.safeParse(await request.json()); );
if (!zodRes.success) error(400, "Invalid request body");
const { meks } = zodRes.data;
await registerNewActiveMek( await registerNewActiveMek(
userId, userId,
clientId, clientId,
meks.map(({ clientId, mek, sigMek }) => ({ meks.map(({ clientId, mek }) => ({
clientId, clientId,
encMek: mek, encMek: mek,
sigEncMek: sigMek,
})), })),
); );
return text("MEK registered", { headers: { "Content-Type": "text/plain" } }); return text("MEK registered", { headers: { "Content-Type": "text/plain" } });

16
src/routes/api/mek/register/initial/+server.ts
View File

@@ -1,6 +1,7 @@
import { error, text } from "@sveltejs/kit"; import { error, text } from "@sveltejs/kit";
import { z } from "zod"; import { z } from "zod";
import { authenticate } from "$lib/server/modules/auth"; import { authenticate } from "$lib/server/modules/auth";
import { parseSignedRequest } from "$lib/server/modules/crypto";
import { registerInitialActiveMek } from "$lib/server/services/mek"; import { registerInitialActiveMek } from "$lib/server/services/mek";
import type { RequestHandler } from "@sveltejs/kit"; import type { RequestHandler } from "@sveltejs/kit";
@@ -10,15 +11,14 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
error(403, "Forbidden"); error(403, "Forbidden");
} }
const zodRes = z const { mek } = await parseSignedRequest(
.object({ clientId,
await request.json(),
z.object({
mek: z.string().base64().nonempty(), mek: z.string().base64().nonempty(),
sigMek: z.string().base64().nonempty(), }),
}) );
.safeParse(await request.json());
if (!zodRes.success) error(400, "Invalid request body");
const { mek, sigMek } = zodRes.data;
await registerInitialActiveMek(userId, clientId, mek, sigMek); await registerInitialActiveMek(userId, clientId, mek);
return text("MEK registered", { headers: { "Content-Type": "text/plain" } }); return text("MEK registered", { headers: { "Content-Type": "text/plain" } });
}; };