From f9f7a799b51231e49512f7945fd4a31c7f3c0e83 Mon Sep 17 00:00:00 2001 From: Beaudan Brown Date: Wed, 2 Oct 2019 15:22:42 +1000 Subject: [PATCH 1/3] Updating signature scheme to use hard coded fields --- js/modules/loki_app_dot_net_api.js | 43 ++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/js/modules/loki_app_dot_net_api.js b/js/modules/loki_app_dot_net_api.js index ca5bb3ade..dc75fda84 100644 --- a/js/modules/loki_app_dot_net_api.js +++ b/js/modules/loki_app_dot_net_api.js @@ -1,5 +1,5 @@ /* global log, textsecure, libloki, Signal, Whisper, Headers, ConversationController, -clearTimeout, MessageController, libsignal, StringView, window, _ */ +clearTimeout, MessageController, libsignal, StringView, window, _, dcodeIO */ const EventEmitter = require('events'); const nodeFetch = require('node-fetch'); const { URL, URLSearchParams } = require('url'); @@ -595,6 +595,22 @@ class LokiPublicChannelAPI { } } + getSigData(sigVer, noteValue, adnMessage) { + let sigString = ''; + sigString += adnMessage.text.trim(); + sigString += noteValue.timestamp; + if (noteValue.quote) { + sigString += noteValue.quote.id; + sigString += noteValue.quote.author; + sigString += noteValue.quote.text.trim(); + if (adnMessage.reply_to) { + sigString += adnMessage.reply_to; + } + } + sigString += sigVer; + return dcodeIO.ByteBuffer.wrap(sigString, 'utf8').toArrayBuffer(); + } + async getMessengerData(adnMessage) { if ( !Array.isArray(adnMessage.annotations) || @@ -629,15 +645,12 @@ class LokiPublicChannelAPI { if (adnMessage.reply_to) { verifyObj.reply_to = adnMessage.reply_to; } + const sigData = this.getSigData(sigver, noteValue, adnMessage); const pubKeyBin = StringView.hexToArrayBuffer(adnMessage.user.username); const sigBin = StringView.hexToArrayBuffer(sig); try { - await libsignal.Curve.async.verifySignature( - pubKeyBin, - JSON.stringify(verifyObj), - sigBin - ); + await libsignal.Curve.async.verifySignature(pubKeyBin, sigData, sigBin); } catch (e) { if (e.message === 'Invalid signature') { // keep noise out of the logs, once per start up is enough @@ -842,20 +855,22 @@ class LokiPublicChannelAPI { } } const privKey = await this.serverAPI.chatAPI.getPrivateKey(); - const objToSign = { - version: 1, - text, - annotations: payload.annotations, - }; + const sigVer = 1; + let mockAdnMessage = { text }; if (payload.reply_to) { - objToSign.reply_to = payload.reply_to; + mockAdnMessage.reply_to = payload.reply_to; } + const sigData = this.getSigData( + sigVer, + payload.annotations[0].value, + mockAdnMessage + ); const sig = await libsignal.Curve.async.calculateSignature( privKey, - JSON.stringify(objToSign) + sigData ); payload.annotations[0].value.sig = StringView.arrayBufferToHex(sig); - payload.annotations[0].value.sigver = objToSign.version; + payload.annotations[0].value.sigver = sigVer; const res = await this.serverRequest(`${this.baseChannelUrl}/messages`, { method: 'POST', objBody: payload, From 399c54452e4412b402d714f87534a8085fca33f3 Mon Sep 17 00:00:00 2001 From: Beaudan Brown Date: Wed, 2 Oct 2019 15:52:39 +1000 Subject: [PATCH 2/3] Default user name to anonymouse if they don't have one set --- js/modules/loki_app_dot_net_api.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/js/modules/loki_app_dot_net_api.js b/js/modules/loki_app_dot_net_api.js index dc75fda84..53797e3c1 100644 --- a/js/modules/loki_app_dot_net_api.js +++ b/js/modules/loki_app_dot_net_api.js @@ -725,11 +725,14 @@ class LokiPublicChannelAPI { ? adnMessage.id : Math.max(this.lastGot, adnMessage.id); + if (!adnMessage.user.name) { + adnMessage.user.name = 'Anonymous'; + } + if ( !adnMessage.id || !adnMessage.user || !adnMessage.user.username || // pubKey lives in the username field - !adnMessage.user.name || // profileName lives in the name field !adnMessage.text || adnMessage.is_deleted ) { From 9ed3ec5dec6b717cebb9fbe6d4f836de4a015eec Mon Sep 17 00:00:00 2001 From: Beaudan Brown Date: Thu, 3 Oct 2019 15:41:02 +1000 Subject: [PATCH 3/3] Fix linting --- js/modules/loki_app_dot_net_api.js | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/js/modules/loki_app_dot_net_api.js b/js/modules/loki_app_dot_net_api.js index 53797e3c1..fb92bdcc9 100644 --- a/js/modules/loki_app_dot_net_api.js +++ b/js/modules/loki_app_dot_net_api.js @@ -595,7 +595,7 @@ class LokiPublicChannelAPI { } } - getSigData(sigVer, noteValue, adnMessage) { + static getSigData(sigVer, noteValue, adnMessage) { let sigString = ''; sigString += adnMessage.text.trim(); sigString += noteValue.timestamp; @@ -637,15 +637,11 @@ class LokiPublicChannelAPI { const annoCopy = [...adnMessage.annotations]; // strip out sig and sigver annoCopy[0] = _.omit(annoCopy[0], ['value.sig', 'value.sigver']); - const verifyObj = { - text: adnMessage.text, - version: sigver, - annotations: annoCopy, - }; - if (adnMessage.reply_to) { - verifyObj.reply_to = adnMessage.reply_to; - } - const sigData = this.getSigData(sigver, noteValue, adnMessage); + const sigData = LokiPublicChannelAPI.getSigData( + sigver, + noteValue, + adnMessage + ); const pubKeyBin = StringView.hexToArrayBuffer(adnMessage.user.username); const sigBin = StringView.hexToArrayBuffer(sig); @@ -725,10 +721,6 @@ class LokiPublicChannelAPI { ? adnMessage.id : Math.max(this.lastGot, adnMessage.id); - if (!adnMessage.user.name) { - adnMessage.user.name = 'Anonymous'; - } - if ( !adnMessage.id || !adnMessage.user || @@ -777,7 +769,7 @@ class LokiPublicChannelAPI { }, ].splice(-5); - const from = adnMessage.user.name; // profileName + const from = adnMessage.user.name || 'Anonymous'; // profileName const messageData = { serverId: adnMessage.id, @@ -859,11 +851,11 @@ class LokiPublicChannelAPI { } const privKey = await this.serverAPI.chatAPI.getPrivateKey(); const sigVer = 1; - let mockAdnMessage = { text }; + const mockAdnMessage = { text }; if (payload.reply_to) { mockAdnMessage.reply_to = payload.reply_to; } - const sigData = this.getSigData( + const sigData = LokiPublicChannelAPI.getSigData( sigVer, payload.annotations[0].value, mockAdnMessage