mirror of
https://git.asonix.dog/asonix/relay.git
synced 2024-11-22 01:21:06 +00:00
Switch to ring for crypto
This commit is contained in:
parent
731a831070
commit
2cbe4864c3
6 changed files with 54 additions and 37 deletions
8
Cargo.lock
generated
8
Cargo.lock
generated
|
@ -423,6 +423,7 @@ dependencies = [
|
|||
"pin-project-lite",
|
||||
"quanta",
|
||||
"rand",
|
||||
"ring",
|
||||
"rsa",
|
||||
"rsa-magic-public-key",
|
||||
"ructe",
|
||||
|
@ -1460,9 +1461,9 @@ dependencies = [
|
|||
|
||||
[[package]]
|
||||
name = "http-signature-normalization-actix"
|
||||
version = "0.10.0"
|
||||
version = "0.10.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7978cadb8c73ab0d7115a4260e8a64188212ce44d11f0b0109c4beebc6bbb5c9"
|
||||
checksum = "f16b1af0de27fe75ea5c1da8da1ce826274cc623bda49eb5e9395aa4ea0b34d4"
|
||||
dependencies = [
|
||||
"actix-http",
|
||||
"actix-rt",
|
||||
|
@ -1471,7 +1472,7 @@ dependencies = [
|
|||
"base64 0.13.1",
|
||||
"futures-util",
|
||||
"http-signature-normalization",
|
||||
"sha2",
|
||||
"ring",
|
||||
"thiserror",
|
||||
"tokio",
|
||||
"tracing",
|
||||
|
@ -2743,7 +2744,6 @@ dependencies = [
|
|||
"pkcs1",
|
||||
"pkcs8",
|
||||
"rand_core",
|
||||
"sha2",
|
||||
"signature",
|
||||
"spki",
|
||||
"subtle",
|
||||
|
|
|
@ -55,7 +55,8 @@ opentelemetry-otlp = "0.12"
|
|||
pin-project-lite = "0.2.9"
|
||||
quanta = "0.11.0"
|
||||
rand = "0.8"
|
||||
rsa = { version = "0.9", features = ["sha2"] }
|
||||
ring = "0.16.20"
|
||||
rsa = { version = "0.9" }
|
||||
rsa-magic-public-key = "0.8.0"
|
||||
rustls = "0.20.7"
|
||||
rustls-pemfile = "1.0.1"
|
||||
|
@ -89,9 +90,9 @@ default-features = false
|
|||
features = ["background-jobs-actix", "error-logging"]
|
||||
|
||||
[dependencies.http-signature-normalization-actix]
|
||||
version = "0.10.0"
|
||||
version = "0.10.1"
|
||||
default-features = false
|
||||
features = ["client", "server", "sha-2"]
|
||||
features = ["client", "server", "ring"]
|
||||
|
||||
[dependencies.tracing-actix-web]
|
||||
version = "0.7.5"
|
||||
|
|
|
@ -11,8 +11,7 @@ use activitystreams::{
|
|||
},
|
||||
};
|
||||
use config::Environment;
|
||||
use http_signature_normalization_actix::prelude::VerifyDigest;
|
||||
use rsa::sha2::{Digest, Sha256};
|
||||
use http_signature_normalization_actix::{digest::ring::Sha256, prelude::VerifyDigest};
|
||||
use rustls::{Certificate, PrivateKey};
|
||||
use std::{
|
||||
io::BufReader,
|
||||
|
|
11
src/error.rs
11
src/error.rs
|
@ -81,6 +81,9 @@ pub(crate) enum ErrorKind {
|
|||
#[error("Couldn't encode public key, {0}")]
|
||||
Spki(#[from] rsa::pkcs8::spki::Error),
|
||||
|
||||
#[error("Couldn't sign request")]
|
||||
SignRequest,
|
||||
|
||||
#[error("Couldn't parse IRI, {0}")]
|
||||
ParseIri(#[from] activitystreams::iri_string::validate::Error),
|
||||
|
||||
|
@ -105,11 +108,11 @@ pub(crate) enum ErrorKind {
|
|||
#[error("Couldn't sign digest")]
|
||||
Signature(#[from] rsa::signature::Error),
|
||||
|
||||
#[error("Couldn't read signature")]
|
||||
ReadSignature(rsa::signature::Error),
|
||||
|
||||
#[error("Couldn't verify signature")]
|
||||
VerifySignature(rsa::signature::Error),
|
||||
VerifySignature,
|
||||
|
||||
#[error("Failed to encode key der")]
|
||||
DerEncode,
|
||||
|
||||
#[error("Couldn't parse the signature header")]
|
||||
HeaderValidation(#[from] actix_web::http::header::InvalidHeaderValue),
|
||||
|
|
|
@ -8,10 +8,7 @@ use crate::{
|
|||
use activitystreams::{base::BaseExt, iri, iri_string::types::IriString};
|
||||
use base64::{engine::general_purpose::STANDARD, Engine};
|
||||
use http_signature_normalization_actix::{prelude::*, verify::DeprecatedAlgorithm, Spawn};
|
||||
use rsa::{
|
||||
pkcs1v15::Signature, pkcs1v15::VerifyingKey, pkcs8::DecodePublicKey, sha2::Sha256,
|
||||
signature::Verifier, RsaPublicKey,
|
||||
};
|
||||
use rsa::{pkcs1::EncodeRsaPublicKey, pkcs8::DecodePublicKey, RsaPublicKey};
|
||||
use std::{future::Future, pin::Pin};
|
||||
|
||||
#[derive(Clone, Debug)]
|
||||
|
@ -128,19 +125,23 @@ async fn do_verify(
|
|||
signing_string: String,
|
||||
) -> Result<(), Error> {
|
||||
let public_key = RsaPublicKey::from_public_key_pem(public_key.trim())?;
|
||||
let public_key_der = public_key
|
||||
.to_pkcs1_der()
|
||||
.map_err(|_| ErrorKind::DerEncode)?;
|
||||
let public_key = ring::signature::UnparsedPublicKey::new(
|
||||
&ring::signature::RSA_PKCS1_2048_8192_SHA256,
|
||||
public_key_der,
|
||||
);
|
||||
|
||||
let span = tracing::Span::current();
|
||||
spawner
|
||||
.spawn_blocking(move || {
|
||||
span.in_scope(|| {
|
||||
let decoded = STANDARD.decode(signature)?;
|
||||
let signature =
|
||||
Signature::try_from(decoded.as_slice()).map_err(ErrorKind::ReadSignature)?;
|
||||
|
||||
let verifying_key = VerifyingKey::<Sha256>::new(public_key);
|
||||
verifying_key
|
||||
.verify(signing_string.as_bytes(), &signature)
|
||||
.map_err(ErrorKind::VerifySignature)?;
|
||||
public_key
|
||||
.verify(signing_string.as_bytes(), decoded.as_slice())
|
||||
.map_err(|_| ErrorKind::VerifySignature)?;
|
||||
|
||||
Ok(()) as Result<(), Error>
|
||||
})
|
||||
|
|
|
@ -8,14 +8,12 @@ use actix_web::http::header::Date;
|
|||
use awc::{error::SendRequestError, Client, ClientResponse, Connector};
|
||||
use base64::{engine::general_purpose::STANDARD, Engine};
|
||||
use dashmap::DashMap;
|
||||
use http_signature_normalization_actix::prelude::*;
|
||||
use rand::thread_rng;
|
||||
use rsa::{
|
||||
pkcs1v15::SigningKey,
|
||||
sha2::{Digest, Sha256},
|
||||
signature::{RandomizedSigner, SignatureEncoding},
|
||||
RsaPrivateKey,
|
||||
use http_signature_normalization_actix::{digest::ring::Sha256, prelude::*};
|
||||
use ring::{
|
||||
rand::SystemRandom,
|
||||
signature::{RsaKeyPair, RSA_PKCS1_SHA256},
|
||||
};
|
||||
use rsa::{pkcs1::EncodeRsaPrivateKey, RsaPrivateKey};
|
||||
use std::{
|
||||
sync::Arc,
|
||||
time::{Duration, SystemTime},
|
||||
|
@ -145,7 +143,8 @@ pub(crate) struct Requests {
|
|||
client: Client,
|
||||
key_id: String,
|
||||
user_agent: String,
|
||||
private_key: RsaPrivateKey,
|
||||
private_key: Arc<RsaKeyPair>,
|
||||
rng: SystemRandom,
|
||||
config: Config<Spawner>,
|
||||
breakers: Breakers,
|
||||
last_online: Arc<LastOnline>,
|
||||
|
@ -196,12 +195,16 @@ impl Requests {
|
|||
timeout_seconds: u64,
|
||||
spawner: Spawner,
|
||||
) -> Self {
|
||||
let private_key_der = private_key.to_pkcs1_der().expect("Can encode der");
|
||||
let private_key = ring::signature::RsaKeyPair::from_der(private_key_der.as_bytes())
|
||||
.expect("Key is valid");
|
||||
Requests {
|
||||
pool_size,
|
||||
client: build_client(&user_agent, pool_size, timeout_seconds),
|
||||
key_id,
|
||||
user_agent,
|
||||
private_key,
|
||||
private_key: Arc::new(private_key),
|
||||
rng: SystemRandom::new(),
|
||||
config: Config::new().mastodon_compat().spawner(spawner),
|
||||
breakers,
|
||||
last_online,
|
||||
|
@ -407,19 +410,29 @@ impl Requests {
|
|||
fn signer(&self) -> Signer {
|
||||
Signer {
|
||||
private_key: self.private_key.clone(),
|
||||
rng: self.rng.clone(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
struct Signer {
|
||||
private_key: RsaPrivateKey,
|
||||
private_key: Arc<RsaKeyPair>,
|
||||
rng: SystemRandom,
|
||||
}
|
||||
|
||||
impl Signer {
|
||||
fn sign(&self, signing_string: &str) -> Result<String, Error> {
|
||||
let signing_key = SigningKey::<Sha256>::new(self.private_key.clone());
|
||||
let signature =
|
||||
signing_key.try_sign_with_rng(&mut thread_rng(), signing_string.as_bytes())?;
|
||||
Ok(STANDARD.encode(signature.to_bytes().as_ref()))
|
||||
let mut signature = vec![0; self.private_key.public_modulus_len()];
|
||||
|
||||
self.private_key
|
||||
.sign(
|
||||
&RSA_PKCS1_SHA256,
|
||||
&self.rng,
|
||||
signing_string.as_bytes(),
|
||||
&mut signature,
|
||||
)
|
||||
.map_err(|_| ErrorKind::SignRequest)?;
|
||||
|
||||
Ok(STANDARD.encode(&signature))
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue