fix(SSO): JWK関数の仕様変更に対応 (MisskeyIO#959)

MisskeyIO#950
2025-04-01 01:53:25 +09:00 · 2025-04-01 01:53:25 +09:00 · eb5e94dbf8
commit eb5e94dbf8
parent cf1151aa28
5 changed files with 13 additions and 10 deletions
--- a/packages/backend/src/misc/gen-x509-cert-from-jwk.ts
+++ b/packages/backend/src/misc/gen-x509-cert-from-jwk.ts
@ -7,6 +7,7 @@ export async function genX509CertFromJWK(
 	notAfter: Date,
 	publicKey: string,
 	privateKey: string,
 	alg: string,
 ): Promise<string> {
 	const cert = forge.pki.createCertificate();
 	cert.serialNumber = '01';
@ -17,13 +18,13 @@ export async function genX509CertFromJWK(
 	cert.setSubject(attrs);
 	cert.setIssuer(attrs);
 	cert.publicKey = await jose
-		.importJWK(JSON.parse(publicKey))
+		.importJWK(JSON.parse(publicKey), alg)
 		.then((k) => jose.exportSPKI(k as jose.CryptoKey))
 		.then((k) => forge.pki.publicKeyFromPem(k));
 	cert.sign(
 		await jose
-			.importJWK(JSON.parse(privateKey))
+			.importJWK(JSON.parse(privateKey), alg)
 			.then((k) => jose.exportPKCS8(k as jose.CryptoKey))
 			.then((k) => forge.pki.privateKeyFromPem(k)),
 		forge.md.sha256.create(),
--- a/packages/backend/src/server/api/endpoints/admin/sso/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/sso/create.ts
@ -123,7 +123,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			}
 			const { publicKey, privateKey } = ps.useCertificate
-				? await jose.generateKeyPair(ps.signatureAlgorithm).then(async keypair => ({
+				? await jose.generateKeyPair(ps.signatureAlgorithm, { extractable: true }).then(async keypair => ({
 					publicKey: JSON.stringify(await jose.exportJWK(keypair.publicKey)),
 					privateKey: JSON.stringify(await jose.exportJWK(keypair.privateKey)),
 				}))
@ -139,6 +139,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				tenYearsLaterTime,
 				publicKey,
 				privateKey ?? '',
 				ps.signatureAlgorithm,
 			) : undefined;
 			const ssoServiceProvider = await this.singleSignOnServiceProviderRepository.insert({
--- a/packages/backend/src/server/api/endpoints/admin/sso/update.ts
+++ b/packages/backend/src/server/api/endpoints/admin/sso/update.ts
@ -60,7 +60,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			const alg = ps.signatureAlgorithm ? ps.signatureAlgorithm : service.signatureAlgorithm;
 			const { publicKey, privateKey } = ps.regenerateCertificate
-				? await jose.generateKeyPair(alg).then(async keypair => ({
+				? await jose.generateKeyPair(alg, { extractable: true }).then(async keypair => ({
 					publicKey: JSON.stringify(await jose.exportJWK(keypair.publicKey)),
 					privateKey: JSON.stringify(await jose.exportJWK(keypair.privateKey)),
 				}))
@ -76,6 +76,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				tenYearsLaterTime,
 				publicKey ?? '',
 				privateKey ?? '',
 				alg,
 			) : undefined;
 			await this.singleSignOnServiceProviderRepository.update(service.id, {
--- a/packages/backend/src/server/sso/JWTIdentifyProviderService.ts
+++ b/packages/backend/src/server/sso/JWTIdentifyProviderService.ts
@ -193,7 +193,7 @@ export class JWTIdentifyProviderService {
 			try {
 				if (ssoServiceProvider.cipherAlgorithm) {
 					const key = ssoServiceProvider.publicKey.startsWith('{')
-						? await jose.importJWK(JSON.parse(ssoServiceProvider.publicKey))
+						? await jose.importJWK(JSON.parse(ssoServiceProvider.publicKey), ssoServiceProvider.signatureAlgorithm)
 						: jose.base64url.decode(ssoServiceProvider.publicKey);
 					jwt = await new jose.EncryptJWT(payload)
@ -211,7 +211,7 @@ export class JWTIdentifyProviderService {
 						.encrypt(key);
 				} else {
 					const key = ssoServiceProvider.privateKey
-						? await jose.importJWK(JSON.parse(ssoServiceProvider.privateKey))
+						? await jose.importJWK(JSON.parse(ssoServiceProvider.privateKey), ssoServiceProvider.signatureAlgorithm)
 						: jose.base64url.decode(ssoServiceProvider.publicKey);
 					jwt = await new jose.SignJWT(payload)
@ -311,7 +311,7 @@ export class JWTIdentifyProviderService {
 			try {
 				if (ssoServiceProvider.cipherAlgorithm) {
 					const key = ssoServiceProvider.privateKey
-						? await jose.importJWK(JSON.parse(ssoServiceProvider.privateKey))
+						? await jose.importJWK(JSON.parse(ssoServiceProvider.privateKey), ssoServiceProvider.signatureAlgorithm)
 						: jose.base64url.decode(ssoServiceProvider.publicKey);
 					const { payload } = await jose.jwtDecrypt(jwt, key, {
@ -323,7 +323,7 @@ export class JWTIdentifyProviderService {
 					return;
 				} else {
 					const key = ssoServiceProvider.publicKey.startsWith('{')
-						? await jose.importJWK(JSON.parse(ssoServiceProvider.publicKey))
+						? await jose.importJWK(JSON.parse(ssoServiceProvider.publicKey), ssoServiceProvider.signatureAlgorithm)
 						: jose.base64url.decode(ssoServiceProvider.publicKey);
 					const { payload } = await jose.jwtVerify(jwt, key, {
--- a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts
+++ b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts
@ -238,7 +238,7 @@ export class SAMLIdentifyProviderService {
 			const idp = saml.IdentityProvider({
 				metadata: await this.createIdPMetadataXml(ssoServiceProvider),
 				privateKey: await jose
-					.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'))
+					.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'), ssoServiceProvider.signatureAlgorithm)
 					.then(k => jose.exportPKCS8(k as jose.CryptoKey)),
 			});
@ -392,7 +392,7 @@ export class SAMLIdentifyProviderService {
 				const idp = saml.IdentityProvider({
 					metadata: await this.createIdPMetadataXml(ssoServiceProvider),
 					privateKey: await jose
-						.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'))
+						.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'), ssoServiceProvider.signatureAlgorithm)
 						.then(k => jose.exportPKCS8(k as jose.CryptoKey)),
 					loginResponseTemplate: { context: 'ignored' },
 				});