From 71b7c31958e2ce11a4b5a11a5c282ca3bdcb41dc Mon Sep 17 00:00:00 2001 From: Mar0xy Date: Fri, 20 Oct 2023 12:50:56 +0200 Subject: [PATCH] upd: refetch user keys on signature failure Reference: https://github.com/misskey-dev/misskey/pull/12051 --- .../src/core/activitypub/ApDbResolverService.ts | 15 ++++++++++++++- .../queue/processors/InboxProcessorService.ts | 16 ++++++++++++++-- 2 files changed, 28 insertions(+), 3 deletions(-) diff --git a/packages/backend/src/core/activitypub/ApDbResolverService.ts b/packages/backend/src/core/activitypub/ApDbResolverService.ts index 995c5dcd5..dd1687ede 100644 --- a/packages/backend/src/core/activitypub/ApDbResolverService.ts +++ b/packages/backend/src/core/activitypub/ApDbResolverService.ts @@ -12,7 +12,7 @@ import type { MiUserPublickey } from '@/models/UserPublickey.js'; import { CacheService } from '@/core/CacheService.js'; import type { MiNote } from '@/models/Note.js'; import { bindThis } from '@/decorators.js'; -import { MiLocalUser, MiRemoteUser } from '@/models/User.js'; +import type { MiLocalUser, MiRemoteUser } from '@/models/User.js'; import { getApId } from './type.js'; import { ApPersonService } from './models/ApPersonService.js'; import type { IObject } from './type.js'; @@ -164,6 +164,19 @@ export class ApDbResolverService implements OnApplicationShutdown { }; } + /** + * Sharkey User -> Refetched Key + */ + @bindThis + public async refetchPublicKeyForApId(user: MiRemoteUser): Promise { + await this.apPersonService.updatePerson(user.uri); + const key = await this.userPublickeysRepository.findOneBy({ userId: user.id }); + if (key != null) { + await this.publicKeyByUserIdCache.set(user.id, key); + } + return key; + } + @bindThis public dispose(): void { this.publicKeyCache.dispose(); diff --git a/packages/backend/src/queue/processors/InboxProcessorService.ts b/packages/backend/src/queue/processors/InboxProcessorService.ts index 89d4ea503..f51c9f140 100644 --- a/packages/backend/src/queue/processors/InboxProcessorService.ts +++ b/packages/backend/src/queue/processors/InboxProcessorService.ts @@ -104,12 +104,24 @@ export class InboxProcessorService { } // HTTP-Signatureの検証 - const httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem); + let httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem); // また、signatureのsignerは、activity.actorと一致する必要がある if (!httpSignatureValidated || authUser.user.uri !== activity.actor) { + let renewKeyFailed = false; + + if (!httpSignatureValidated) { + authUser.key = await this.apDbResolverService.refetchPublicKeyForApId(authUser.user); + + if (authUser.key != null) { + httpSignatureValidated = httpSignature.verifySignature(signature, authUser.key.keyPem); + } else { + renewKeyFailed = true; + } + } + // 一致しなくても、でもLD-Signatureがありそうならそっちも見る - if (activity.signature) { + if (activity.signature && renewKeyFailed) { if (activity.signature.type !== 'RsaSignature2017') { throw new Bull.UnrecoverableError(`skip: unsupported LD-signature type ${activity.signature.type}`); }