oscar-surf/misskey
oscar-surf/misskey
0
0
Fork 0
Code Issues Activity

fix(SSO): JWK関数の仕様変更に対応 (MisskeyIO#959)

Browse source 
MisskeyIO#950
This commit is contained in:
あわわわとーにゅ 2025-04-01 01:53:25 +09:00 committed by GitHub
parent cf1151aa28
commit eb5e94dbf8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 13 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

5
packages/backend/src/misc/gen-x509-cert-from-jwk.ts
View file

@ -7,6 +7,7 @@ export async function genX509CertFromJWK(
notAfter: Date,
publicKey: string,
privateKey: string,
alg: string,
): Promise<string> {
const cert = forge.pki.createCertificate();
cert.serialNumber = '01';
@ -17,13 +18,13 @@ export async function genX509CertFromJWK(
cert.setSubject(attrs);
cert.setIssuer(attrs);
cert.publicKey = await jose
.importJWK(JSON.parse(publicKey))
.importJWK(JSON.parse(publicKey), alg)
.then((k) => jose.exportSPKI(k as jose.CryptoKey))
.then((k) => forge.pki.publicKeyFromPem(k));
cert.sign(
await jose
.importJWK(JSON.parse(privateKey))
.importJWK(JSON.parse(privateKey), alg)
.then((k) => jose.exportPKCS8(k as jose.CryptoKey))
.then((k) => forge.pki.privateKeyFromPem(k)),
forge.md.sha256.create(),

3
packages/backend/src/server/api/endpoints/admin/sso/create.ts
View file

@ -123,7 +123,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
}
const { publicKey, privateKey } = ps.useCertificate
? await jose.generateKeyPair(ps.signatureAlgorithm).then(async keypair => ({
? await jose.generateKeyPair(ps.signatureAlgorithm, { extractable: true }).then(async keypair => ({
publicKey: JSON.stringify(await jose.exportJWK(keypair.publicKey)),
privateKey: JSON.stringify(await jose.exportJWK(keypair.privateKey)),
}))
@ -139,6 +139,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
tenYearsLaterTime,
publicKey,
privateKey ?? '',
ps.signatureAlgorithm,
) : undefined;
const ssoServiceProvider = await this.singleSignOnServiceProviderRepository.insert({

3
packages/backend/src/server/api/endpoints/admin/sso/update.ts
View file

@ -60,7 +60,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
const alg = ps.signatureAlgorithm ? ps.signatureAlgorithm : service.signatureAlgorithm;
const { publicKey, privateKey } = ps.regenerateCertificate
? await jose.generateKeyPair(alg).then(async keypair => ({
? await jose.generateKeyPair(alg, { extractable: true }).then(async keypair => ({
publicKey: JSON.stringify(await jose.exportJWK(keypair.publicKey)),
privateKey: JSON.stringify(await jose.exportJWK(keypair.privateKey)),
}))
@ -76,6 +76,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
tenYearsLaterTime,
publicKey ?? '',
privateKey ?? '',
alg,
) : undefined;
await this.singleSignOnServiceProviderRepository.update(service.id, {

8
packages/backend/src/server/sso/JWTIdentifyProviderService.ts
View file

@ -193,7 +193,7 @@ export class JWTIdentifyProviderService {
try {
if (ssoServiceProvider.cipherAlgorithm) {
const key = ssoServiceProvider.publicKey.startsWith('{')
? await jose.importJWK(JSON.parse(ssoServiceProvider.publicKey))
? await jose.importJWK(JSON.parse(ssoServiceProvider.publicKey), ssoServiceProvider.signatureAlgorithm)
: jose.base64url.decode(ssoServiceProvider.publicKey);
jwt = await new jose.EncryptJWT(payload)
@ -211,7 +211,7 @@ export class JWTIdentifyProviderService {
.encrypt(key);
} else {
const key = ssoServiceProvider.privateKey
? await jose.importJWK(JSON.parse(ssoServiceProvider.privateKey))
? await jose.importJWK(JSON.parse(ssoServiceProvider.privateKey), ssoServiceProvider.signatureAlgorithm)
: jose.base64url.decode(ssoServiceProvider.publicKey);
jwt = await new jose.SignJWT(payload)
@ -311,7 +311,7 @@ export class JWTIdentifyProviderService {
try {
if (ssoServiceProvider.cipherAlgorithm) {
const key = ssoServiceProvider.privateKey
? await jose.importJWK(JSON.parse(ssoServiceProvider.privateKey))
? await jose.importJWK(JSON.parse(ssoServiceProvider.privateKey), ssoServiceProvider.signatureAlgorithm)
: jose.base64url.decode(ssoServiceProvider.publicKey);
const { payload } = await jose.jwtDecrypt(jwt, key, {
@ -323,7 +323,7 @@ export class JWTIdentifyProviderService {
return;
} else {
const key = ssoServiceProvider.publicKey.startsWith('{')
? await jose.importJWK(JSON.parse(ssoServiceProvider.publicKey))
? await jose.importJWK(JSON.parse(ssoServiceProvider.publicKey), ssoServiceProvider.signatureAlgorithm)
: jose.base64url.decode(ssoServiceProvider.publicKey);
const { payload } = await jose.jwtVerify(jwt, key, {

4
packages/backend/src/server/sso/SAMLIdentifyProviderService.ts
View file

@ -238,7 +238,7 @@ export class SAMLIdentifyProviderService {
const idp = saml.IdentityProvider({
metadata: await this.createIdPMetadataXml(ssoServiceProvider),
privateKey: await jose
.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'))
.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'), ssoServiceProvider.signatureAlgorithm)
.then(k => jose.exportPKCS8(k as jose.CryptoKey)),
});
@ -392,7 +392,7 @@ export class SAMLIdentifyProviderService {
const idp = saml.IdentityProvider({
metadata: await this.createIdPMetadataXml(ssoServiceProvider),
privateKey: await jose
.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'))
.importJWK(JSON.parse(ssoServiceProvider.privateKey ?? '{}'), ssoServiceProvider.signatureAlgorithm)
.then(k => jose.exportPKCS8(k as jose.CryptoKey)),
loginResponseTemplate: { context: 'ignored' },
});