/api/mek/register, /api/mek/register/initial Endpoint에서 MEK에 대한 서명을 요구하도록 변경

2025-12-16 06:58:46 +00:00 · 2024-12-31 07:48:40 +09:00
parent f30cc697bb
commit 3ee6365ff2
6 changed files with 51 additions and 12 deletions
--- a/src/lib/server/db/mek.ts
+++ b/src/lib/server/db/mek.ts
@@ -2,7 +2,7 @@ import { and, or, eq, lt, desc } from "drizzle-orm";
 import db from "./drizzle";
 import { mek, clientMek, userClient } from "./schema";

-export interface ClientMek {
+interface ClientMek {
  clientId: number;
  encMek: string;
 }
--- a/src/lib/server/services/mek.ts
+++ b/src/lib/server/services/mek.ts
@@ -1,14 +1,20 @@
 import { error } from "@sveltejs/kit";
-import { getAllUserClients, setUserClientStateToActive } from "$lib/server/db/client";
+import { getAllUserClients, getClient, setUserClientStateToActive } from "$lib/server/db/client";
 import {
  getAllValidClientMeks,
  registerInitialMek,
  registerActiveMek,
  getNextActiveMekVersion,
-  type ClientMek,
 } from "$lib/server/db/mek";
+import { verifySignature } from "$lib/server/modules/crypto";
 import { isInitialMekNeeded } from "$lib/server/modules/mek";

+interface NewClientMek {
+  clientId: number;
+  encMek: string;
+  sigEncMek: string;
+}
+
 export const getClientMekList = async (userId: number, clientId: number) => {
  const clientMeks = await getAllValidClientMeks(userId, clientId);
  return {
@@ -24,9 +30,17 @@ export const registerInitialActiveMek = async (
  userId: number,
  createdBy: number,
  encMek: string,
+  sigEncMek: string,
 ) => {
  if (!(await isInitialMekNeeded(userId))) {
-    error(403, "Forbidden");
+    error(409, "Initial MEK already registered");
+  }
+
+  const client = await getClient(createdBy);
+  if (!client) {
+    error(500, "Invalid access token");
+  } else if (!verifySignature(encMek, sigEncMek, client.sigPubKey)) {
+    error(400, "Invalid signature");
  }

  await registerInitialMek(userId, createdBy, encMek);
@@ -36,7 +50,7 @@ export const registerInitialActiveMek = async (
 export const registerNewActiveMek = async (
  userId: number,
  createdBy: number,
-  clientMeks: ClientMek[],
+  clientMeks: NewClientMek[],
 ) => {
  const userClients = await getAllUserClients(userId);
  const activeUserClients = userClients.filter(({ state }) => state === "active");
@@ -49,6 +63,17 @@ export const registerNewActiveMek = async (
    error(400, "Invalid key list");
  }

+  const client = await getClient(createdBy);
+  if (!client) {
+    error(500, "Invalid access token");
+  } else if (
+    !clientMeks.every(({ encMek, sigEncMek }) =>
+      verifySignature(encMek, sigEncMek, client.sigPubKey),
+    )
+  ) {
+    error(400, "Invalid signature");
+  }
+
  const newMekVersion = await getNextActiveMekVersion(userId);
  await registerActiveMek(userId, newMekVersion, createdBy, clientMeks);
 };