add basic key handling to server
This commit is contained in:
parent
58dab177da
commit
53cc3ccaba
|
|
@ -763,11 +763,31 @@ var parsers = {
|
|||
};
|
||||
|
||||
var keystore = require('../lib/keystore.js').create(state);
|
||||
var keyname = 'telebit-remote';
|
||||
state.keystore = keystore;
|
||||
state.keystoreSecure = !keystore.insecure;
|
||||
keystore.get(keyname).then(function (key) {
|
||||
if (key && key.kty && key.kid) {
|
||||
keystore.all().then(function (list) {
|
||||
var keyext = '.key.jwk.json';
|
||||
var key;
|
||||
var convert;
|
||||
// TODO create map by account and index into that map to get the master key
|
||||
// and sort keys in the process
|
||||
list.some(function (el) {
|
||||
if (keyext === el.account.slice(-keyext.length)
|
||||
&& el.password.kty && el.password.kid) {
|
||||
key = el.password;
|
||||
return true;
|
||||
}
|
||||
});
|
||||
if (!key) {
|
||||
list.some(function (el) {
|
||||
if (el.password.kty) {
|
||||
convert = el.password;
|
||||
return true;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
if (key) {
|
||||
state.key = key;
|
||||
state.pub = keypairs.neuter({ jwk: key });
|
||||
fs.readFile(confpath, 'utf8', parseConfig);
|
||||
|
|
@ -776,9 +796,10 @@ keystore.get(keyname).then(function (key) {
|
|||
|
||||
return keypairs.generate().then(function (pair) {
|
||||
var jwk = pair.private;
|
||||
return keypairs.thumbprint({ jwk: pair.public }).then(function (kid) {
|
||||
if (convert) { jwk = convert; }
|
||||
return keypairs.thumbprint({ jwk: jwk }).then(function (kid) {
|
||||
jwk.kid = kid;
|
||||
return keystore.set(keyname, jwk).then(function () {
|
||||
return keystore.set(kid + keyext, jwk).then(function () {
|
||||
var size = (jwk.crv || Buffer.from(jwk.n, 'base64').byteLength * 8);
|
||||
console.info("Generated new %s %s private key with thumbprint %s", jwk.kty, size, kid);
|
||||
state.key = jwk;
|
||||
|
|
|
|||
134
bin/telebitd.js
134
bin/telebitd.js
|
|
@ -73,14 +73,11 @@ if (!confpath || /^--/.test(confpath)) {
|
|||
}
|
||||
|
||||
state._confpath = confpath;
|
||||
var tokenpath = path.join(path.dirname(state._confpath), 'access_token.txt');
|
||||
var token;
|
||||
try {
|
||||
token = fs.readFileSync(tokenpath, 'ascii').trim();
|
||||
//console.log('[DEBUG] access_token', typeof token, token);
|
||||
} catch(e) {
|
||||
// ignore
|
||||
}
|
||||
var keystore = require('../lib/keystore.js').create({
|
||||
name: "Telebit Daemon"
|
||||
, configDir: path.basename(confpath)
|
||||
});
|
||||
|
||||
var controlServer;
|
||||
var myRemote;
|
||||
|
||||
|
|
@ -442,14 +439,12 @@ function jwtEggspress(req, res, next) {
|
|||
|
||||
function verifyJws(jwk, jws) {
|
||||
return require('keypairs').export({ jwk: jwk }).then(function (pem) {
|
||||
var alg = 'RSA-SHA' + jws.header.alg.replace(/[^\d]+/i, '');
|
||||
// XXX
|
||||
// TODO check for public key in keytar
|
||||
// XXX
|
||||
var alg = 'SHA' + jws.header.alg.replace(/[^\d]+/i, '');
|
||||
var sig = ecdsaAsn1SigToJwtSig(jws.header.alg, jws.signature);
|
||||
return require('crypto')
|
||||
.createVerify(alg)
|
||||
.update(jws.protected + '.' + jws.payload)
|
||||
.verify(pem, jws.signature, 'base64');
|
||||
.verify(pem, sig, 'base64');
|
||||
});
|
||||
}
|
||||
|
||||
|
|
@ -465,16 +460,31 @@ function jwsEggspress(req, res, next) {
|
|||
if ('{'.charCodeAt(0) === req.body[0] || '['.charCodeAt(0) === req.body[0]) {
|
||||
req.body = JSON.parse(req.body);
|
||||
}
|
||||
if (req.jws.header.jwk) {
|
||||
verifyJws(req.jws.header.jwk, req.jws).then(function (verified) {
|
||||
req.jws.selfVerified = verified;
|
||||
next();
|
||||
});
|
||||
return;
|
||||
|
||||
var vjwk;
|
||||
jwks.some(function (jwk) {
|
||||
if (jwk.kid === req.jws.header.kid) {
|
||||
vjwk = jwk;
|
||||
}
|
||||
});
|
||||
if ((0 === jwks.length && req.jws.header.jwk)) {
|
||||
vjwk = req.jws.header.jwk;
|
||||
if (!vjwk.kid) { throw Error("Impossible: no key id"); }
|
||||
}
|
||||
|
||||
// TODO verify if possible
|
||||
next();
|
||||
return verifyJws(vjwk, req.jws).then(function (verified) {
|
||||
if (true !== verified) {
|
||||
return;
|
||||
}
|
||||
req.jws.verified = verified;
|
||||
|
||||
if (0 !== jwks.length) {
|
||||
return;
|
||||
}
|
||||
return keystore.set(vjwk.kid + '.pub.jwk.json', vjwk);
|
||||
}).then(function () {
|
||||
next();
|
||||
});
|
||||
}
|
||||
|
||||
function handleApi() {
|
||||
|
|
@ -883,7 +893,9 @@ function serveControlsHelper() {
|
|||
// nada
|
||||
}
|
||||
setTimeout(function () {
|
||||
console.log("trying again");
|
||||
console.log("Could not start control server (%s), trying again...", err.code);
|
||||
console.log(portFile);
|
||||
console.log(serverOpts);
|
||||
serveControlsHelper();
|
||||
}, 1000);
|
||||
return;
|
||||
|
|
@ -1313,15 +1325,19 @@ state.handlers = {
|
|||
return;
|
||||
}
|
||||
state.token = opts.jwt || opts.access_token;
|
||||
// TODO don't put token in config
|
||||
state.config.token = opts.jwt || opts.access_token;
|
||||
console.info("Updating '" + tokenpath + "' with new token:");
|
||||
console.info("Placing new token in keystore.");
|
||||
try {
|
||||
fs.writeFileSync(tokenpath, opts.jwt);
|
||||
fs.writeFileSync(confpath, YAML.safeDump(snakeCopy(state.config)));
|
||||
} catch (e) {
|
||||
console.error("Token not saved:");
|
||||
console.error(e);
|
||||
}
|
||||
return keystore.set("access_token.jwt", opts.jwt || opts.access_token).catch(function (e) {
|
||||
console.error("Token not saved:");
|
||||
console.error(e);
|
||||
});
|
||||
}
|
||||
};
|
||||
|
||||
|
|
@ -1358,6 +1374,72 @@ state.net = state.net || {
|
|||
}
|
||||
};
|
||||
|
||||
fs.readFile(confpath, 'utf8', parseConfig);
|
||||
|
||||
var token;
|
||||
var tokenname = "access_token.jwt";
|
||||
// backwards-compatibility shim
|
||||
try {
|
||||
var tokenpath = path.join(path.dirname(state._confpath), 'access_token.txt');
|
||||
token = fs.readFileSync(tokenpath, 'ascii').trim();
|
||||
keystore.set(tokenname, token).then(onKeystore).catch(function (err) {
|
||||
console.error('keystore failure:');
|
||||
console.error(err);
|
||||
});
|
||||
} catch(e) {
|
||||
onKeystore();
|
||||
}
|
||||
var jwks = [];
|
||||
function onKeystore() {
|
||||
return keystore.all().then(function (list) {
|
||||
list.forEach(function (el) {
|
||||
if (tokenname === el.account) {
|
||||
token = el.password;
|
||||
return;
|
||||
}
|
||||
// these are secret because just adding the
|
||||
// willy-nilly to the fs can allow arbitrary tokens
|
||||
if (/\.pub\.jwk\.json$/.test(el.account)) {
|
||||
// pre-parsed
|
||||
jwks.push(el.password);
|
||||
return;
|
||||
}
|
||||
});
|
||||
fs.readFile(confpath, 'utf8', parseConfig);
|
||||
});
|
||||
}
|
||||
}());
|
||||
|
||||
function ecdsaAsn1SigToJwtSig(alg, b64sig) {
|
||||
// ECDSA JWT signatures differ from "normal" ECDSA signatures
|
||||
// https://tools.ietf.org/html/rfc7518#section-3.4
|
||||
if (!/^ES/i.test(alg)) { return b64sig; }
|
||||
|
||||
var bufsig = Buffer.from(b64sig, 'base64');
|
||||
var hlen = bufsig.byteLength / 2; // should be even
|
||||
var r = bufsig.slice(0, hlen);
|
||||
var s = bufsig.slice(hlen);
|
||||
// unpad positive ints less than 32 bytes wide
|
||||
while (!r[0]) { r = r.slice(1); }
|
||||
while (!s[0]) { s = s.slice(1); }
|
||||
// pad (or re-pad) ambiguously non-negative BigInts to 33 bytes wide
|
||||
if (0x80 & r[0]) { r = Buffer.concat([Buffer.from([0]), r]); }
|
||||
if (0x80 & s[0]) { s = Buffer.concat([Buffer.from([0]), s]); }
|
||||
|
||||
var len = 2 + r.byteLength + 2 + s.byteLength;
|
||||
var head = [0x30];
|
||||
// hard code 0x80 + 1 because it won't be longer than
|
||||
// two SHA512 plus two pad bytes (130 bytes <= 256)
|
||||
if (len >= 0x80) { head.push(0x81); }
|
||||
head.push(len);
|
||||
|
||||
var buf = Buffer.concat([
|
||||
Buffer.from(head)
|
||||
, Buffer.from([0x02, r.byteLength]), r
|
||||
, Buffer.from([0x02, s.byteLength]), s
|
||||
]);
|
||||
|
||||
return buf.toString('base64')
|
||||
.replace(/-/g, '+')
|
||||
.replace(/_/g, '/')
|
||||
.replace(/=/g, '')
|
||||
;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -34,14 +34,21 @@ module.exports = function eggspress() {
|
|||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
//console.log("[eggspress] matched pattern", todo[0], req.url);
|
||||
todo[1](req, res, next);
|
||||
} catch(e) {
|
||||
function fail(e) {
|
||||
console.error("[eggspress] error", todo[2], todo[0], req.url);
|
||||
console.error(e);
|
||||
// TODO make a nice error message
|
||||
res.end(e.message);
|
||||
}
|
||||
|
||||
try {
|
||||
console.log("[eggspress] matched pattern", todo[0], req.url);
|
||||
var p = todo[1](req, res, next);
|
||||
if (p && p.catch) {
|
||||
p.catch(fail);
|
||||
}
|
||||
} catch(e) {
|
||||
fail(e);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,12 +1,14 @@
|
|||
'use strict';
|
||||
/*global Promise*/
|
||||
|
||||
var fs = require('fs').promises;
|
||||
var path = require('path');
|
||||
|
||||
module.exports.create = function (opts) {
|
||||
var keyext = '.key';
|
||||
return {
|
||||
getPassword: function (service, name) {
|
||||
var f = path.join(opts.configDir, name + '.key');
|
||||
var f = path.join(opts.configDir, name + keyext);
|
||||
return fs.readFile(f, 'utf8').catch(function (err) {
|
||||
if ('ENOEXIST' === err.code) {
|
||||
return;
|
||||
|
|
@ -14,13 +16,22 @@ module.exports.create = function (opts) {
|
|||
});
|
||||
}
|
||||
, setPassword: function (service, name, key) {
|
||||
var f = path.join(opts.configDir, name + '.key');
|
||||
var f = path.join(opts.configDir, name + keyext);
|
||||
return fs.writeFile(f, key, 'utf8');
|
||||
}
|
||||
, deletePassword: function (service, name) {
|
||||
var f = path.join(opts.configDir, name + '.key');
|
||||
var f = path.join(opts.configDir, name + keyext);
|
||||
return fs.unlink(f);
|
||||
}
|
||||
, findCredentials: function (/*service*/) {
|
||||
return fs.readDir(opts.configDir).then(function (nodes) {
|
||||
return Promise.all(nodes.filter(function (node) {
|
||||
return keyext === node.slice(-4);
|
||||
}).map(function (node) {
|
||||
return fs.readFile(path.join(opts.configDir, node + keyext));
|
||||
}));
|
||||
});
|
||||
}
|
||||
, insecure: true
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,10 +1,11 @@
|
|||
'use strict';
|
||||
|
||||
module.exports.create = function (opts) {
|
||||
var service = "Telebit";
|
||||
var service = opts.name || "Telebit";
|
||||
var keytar;
|
||||
try {
|
||||
keytar = require('keytar');
|
||||
// TODO test that long "passwords" (JWTs and JWKs) can be stored in all OSes
|
||||
} catch(e) {
|
||||
console.warn("Could not load native key management. Keys will be stored in plain text.");
|
||||
keytar = require('./keystore-fallback.js').create(opts);
|
||||
|
|
@ -21,6 +22,14 @@ module.exports.create = function (opts) {
|
|||
, delete: function (name) {
|
||||
return keytar.deletePassword(service, name);
|
||||
}
|
||||
, all: function () {
|
||||
return keytar.findCredentials(service).then(function (list) {
|
||||
return list.map(function (el) {
|
||||
el.password = maybeParse(el.password);
|
||||
return el;
|
||||
});
|
||||
});
|
||||
}
|
||||
, insecure: keytar.insecure
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -38,8 +38,7 @@
|
|||
"ansi-regex": {
|
||||
"version": "2.1.1",
|
||||
"resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz",
|
||||
"integrity": "sha1-w7M6te42DYbg5ijwRorn7yfWVN8=",
|
||||
"optional": true
|
||||
"integrity": "sha1-w7M6te42DYbg5ijwRorn7yfWVN8="
|
||||
},
|
||||
"aproba": {
|
||||
"version": "1.2.0",
|
||||
|
|
@ -137,14 +136,12 @@
|
|||
"code-point-at": {
|
||||
"version": "1.1.0",
|
||||
"resolved": "https://registry.npmjs.org/code-point-at/-/code-point-at-1.1.0.tgz",
|
||||
"integrity": "sha1-DQcLTQQ6W+ozovGkDi7bPZpMz3c=",
|
||||
"optional": true
|
||||
"integrity": "sha1-DQcLTQQ6W+ozovGkDi7bPZpMz3c="
|
||||
},
|
||||
"console-control-strings": {
|
||||
"version": "1.1.0",
|
||||
"resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz",
|
||||
"integrity": "sha1-PXz0Rk22RG6mRL9LOVB/mFEAjo4=",
|
||||
"optional": true
|
||||
"integrity": "sha1-PXz0Rk22RG6mRL9LOVB/mFEAjo4="
|
||||
},
|
||||
"core-util-is": {
|
||||
"version": "1.0.2",
|
||||
|
|
@ -236,7 +233,6 @@
|
|||
"version": "1.4.1",
|
||||
"resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.1.tgz",
|
||||
"integrity": "sha512-1MkrZNvWTKCaigbn+W15elq2BB/L22nqrSY5DKlo3X6+vclJm8Bb5djXJBmEX6fS3+zCh/F4VBK5Z2KxJt4s2Q==",
|
||||
"optional": true,
|
||||
"requires": {
|
||||
"once": "^1.4.0"
|
||||
}
|
||||
|
|
@ -400,7 +396,6 @@
|
|||
"version": "1.0.0",
|
||||
"resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-1.0.0.tgz",
|
||||
"integrity": "sha1-754xOG8DGn8NZDr4L95QxFfvAMs=",
|
||||
"optional": true,
|
||||
"requires": {
|
||||
"number-is-nan": "^1.0.0"
|
||||
}
|
||||
|
|
@ -429,10 +424,20 @@
|
|||
"resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz",
|
||||
"integrity": "sha1-Epai1Y/UXxmg9s4B1lcB4sc1tus="
|
||||
},
|
||||
"keyfetch": {
|
||||
"version": "1.1.8",
|
||||
"resolved": "https://registry.npmjs.org/keyfetch/-/keyfetch-1.1.8.tgz",
|
||||
"integrity": "sha512-a8E1E25mHiv2zZnrBM6WNfQi4hG43TgVg1JG/D61WiTBAM07OJzSuy3j00H2pWPF6MCofBmA+KTzSu145nZWuA==",
|
||||
"requires": {
|
||||
"@coolaj86/urequest": "^1.3.6",
|
||||
"eckles": "^1.4.0",
|
||||
"rasha": "^1.2.1"
|
||||
}
|
||||
},
|
||||
"keypairs": {
|
||||
"version": "1.2.6",
|
||||
"resolved": "https://registry.npmjs.org/keypairs/-/keypairs-1.2.6.tgz",
|
||||
"integrity": "sha512-sJDaZvJqHWUawJjrOGKJvKGLfPh0eo2WV7td4RSL88w3BjPYCYI9PkqBn0hLqc6uw0HFSqZMikhGn/jgPpcWnQ==",
|
||||
"version": "1.2.12",
|
||||
"resolved": "https://registry.npmjs.org/keypairs/-/keypairs-1.2.12.tgz",
|
||||
"integrity": "sha512-zYjYdDvo7G4AIkkZVM3WEJBTRUIrFzYswYNqCxcCPHUsgbBBdewSHAH1CiaQ+VA6Yb7BLEPIv8gFrRz5wJrgsw==",
|
||||
"requires": {
|
||||
"eckles": "^1.4.1",
|
||||
"rasha": "^1.2.4"
|
||||
|
|
@ -597,8 +602,7 @@
|
|||
"number-is-nan": {
|
||||
"version": "1.0.1",
|
||||
"resolved": "https://registry.npmjs.org/number-is-nan/-/number-is-nan-1.0.1.tgz",
|
||||
"integrity": "sha1-CXtgK1NCKlIsGvuHkDGDNpQaAR0=",
|
||||
"optional": true
|
||||
"integrity": "sha1-CXtgK1NCKlIsGvuHkDGDNpQaAR0="
|
||||
},
|
||||
"object-assign": {
|
||||
"version": "4.1.1",
|
||||
|
|
@ -617,7 +621,6 @@
|
|||
"version": "1.4.0",
|
||||
"resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
|
||||
"integrity": "sha1-WDsap3WWHUsROsF9nFC6753Xa9E=",
|
||||
"optional": true,
|
||||
"requires": {
|
||||
"wrappy": "1"
|
||||
}
|
||||
|
|
@ -951,7 +954,6 @@
|
|||
"version": "1.0.2",
|
||||
"resolved": "https://registry.npmjs.org/string-width/-/string-width-1.0.2.tgz",
|
||||
"integrity": "sha1-EYvfW4zcUaKn5w0hHgfisLmxB9M=",
|
||||
"optional": true,
|
||||
"requires": {
|
||||
"code-point-at": "^1.0.0",
|
||||
"is-fullwidth-code-point": "^1.0.0",
|
||||
|
|
@ -970,7 +972,6 @@
|
|||
"version": "3.0.1",
|
||||
"resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-3.0.1.tgz",
|
||||
"integrity": "sha1-ajhfuIU9lS1f8F0Oiq+UJ43GPc8=",
|
||||
"optional": true,
|
||||
"requires": {
|
||||
"ansi-regex": "^2.0.0"
|
||||
}
|
||||
|
|
@ -1104,8 +1105,7 @@
|
|||
"wrappy": {
|
||||
"version": "1.0.2",
|
||||
"resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
|
||||
"integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=",
|
||||
"optional": true
|
||||
"integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8="
|
||||
},
|
||||
"ws": {
|
||||
"version": "6.0.0",
|
||||
|
|
|
|||
|
|
@ -57,7 +57,8 @@
|
|||
"finalhandler": "^1.1.1",
|
||||
"greenlock": "^2.6.7",
|
||||
"js-yaml": "^3.11.0",
|
||||
"keypairs": "^1.2.6",
|
||||
"keyfetch": "^1.1.8",
|
||||
"keypairs": "^1.2.12",
|
||||
"mkdirp": "^0.5.1",
|
||||
"proxy-packer": "^2.0.2",
|
||||
"ps-list": "^5.0.0",
|
||||
|
|
|
|||
Loading…
Reference in New Issue