Server: remove encryption when seending requests to other pods

We don't need it anymore since HTTPS is mandatory now
pull/24/head
Chocobozzz 2016-11-27 18:25:35 +01:00
parent bf57d5eebf
commit 38d78e5b82
6 changed files with 7 additions and 101 deletions

View File

@ -15,9 +15,7 @@ const Video = mongoose.model('Video')
router.post('/videos',
validators.signature,
validators.dataToDecrypt,
secureMiddleware.checkSignature,
secureMiddleware.decryptBody,
validators.remoteVideos,
remoteVideos
)

View File

@ -16,8 +16,6 @@ const peertubeCrypto = {
comparePassword,
createCertsIfNotExist,
cryptPassword,
decrypt,
encrypt,
sign
}
@ -57,34 +55,6 @@ function cryptPassword (password, callback) {
})
}
function decrypt (key, data, callback) {
fs.readFile(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem', function (err, file) {
if (err) return callback(err)
const myPrivateKey = ursa.createPrivateKey(file)
const decryptedKey = myPrivateKey.decrypt(key, 'hex', 'utf8')
const decryptedData = symetricDecrypt(data, decryptedKey)
return callback(null, decryptedData)
})
}
function encrypt (publicKey, data, callback) {
const crt = ursa.createPublicKey(publicKey)
symetricEncrypt(data, function (err, dataEncrypted) {
if (err) return callback(err)
const key = crt.encrypt(dataEncrypted.password, 'utf8', 'hex')
const encrypted = {
data: dataEncrypted.crypted,
key: key
}
callback(null, encrypted)
})
}
function sign (data) {
const myKey = ursa.createPrivateKey(fs.readFileSync(constants.CONFIG.STORAGE.CERT_DIR + 'peertube.key.pem'))
const signature = myKey.hashAndSign('sha256', data, 'utf8', 'hex')
@ -151,21 +121,3 @@ function generatePassword (callback) {
callback(null, buf.toString('utf8'))
})
}
function symetricDecrypt (text, password) {
const decipher = crypto.createDecipher(algorithm, password)
let dec = decipher.update(text, 'hex', 'utf8')
dec += decipher.final('utf8')
return dec
}
function symetricEncrypt (text, callback) {
generatePassword(function (err, password) {
if (err) return callback(err)
const cipher = crypto.createCipher(algorithm, password)
let crypted = cipher.update(text, 'utf8', 'hex')
crypted += cipher.final('hex')
callback(null, { crypted: crypted, password: password })
})
}

View File

@ -44,21 +44,8 @@ function makeSecureRequest (params, callback) {
// If there are data informations
if (params.data) {
// Encrypt data
if (params.encrypt === true) {
peertubeCrypto.encrypt(params.toPod.publicKey, JSON.stringify(params.data), function (err, encrypted) {
if (err) return callback(err)
requestParams.json.data = encrypted.data
requestParams.json.key = encrypted.key
request.post(requestParams, callback)
})
} else {
// No encryption
requestParams.json.data = params.data
request.post(requestParams, callback)
}
requestParams.json.data = params.data
request.post(requestParams, callback)
} else {
// No data
request.post(requestParams, callback)

View File

@ -7,15 +7,14 @@ const peertubeCrypto = require('../helpers/peertube-crypto')
const Pod = mongoose.model('Pod')
const secureMiddleware = {
checkSignature,
decryptBody
checkSignature
}
function checkSignature (req, res, next) {
const host = req.body.signature.host
Pod.loadByHost(host, function (err, pod) {
if (err) {
logger.error('Cannot get signed host in decryptBody.', { error: err })
logger.error('Cannot get signed host in body.', { error: err })
return res.sendStatus(500)
}
@ -24,7 +23,7 @@ function checkSignature (req, res, next) {
return res.sendStatus(403)
}
logger.debug('Decrypting body from %s.', host)
logger.debug('Checking signature from %s.', host)
const signatureOk = peertubeCrypto.checkSignature(pod.publicKey, host, req.body.signature.signature)
@ -32,30 +31,11 @@ function checkSignature (req, res, next) {
return next()
}
logger.error('Signature is not okay in decryptBody for %s.', req.body.signature.host)
logger.error('Signature is not okay in body for %s.', req.body.signature.host)
return res.sendStatus(403)
})
}
function decryptBody (req, res, next) {
peertubeCrypto.decrypt(req.body.key, req.body.data, function (err, decrypted) {
if (err) {
logger.error('Cannot decrypt data.', { error: err })
return res.sendStatus(500)
}
try {
req.body.data = JSON.parse(decrypted)
delete req.body.key
} catch (err) {
logger.error('Error in JSON.parse', { error: err })
return res.sendStatus(500)
}
next()
})
}
// ---------------------------------------------------------------------------
module.exports = secureMiddleware

View File

@ -4,20 +4,10 @@ const checkErrors = require('./utils').checkErrors
const logger = require('../../helpers/logger')
const validatorsRemote = {
dataToDecrypt,
remoteVideos,
signature
}
function dataToDecrypt (req, res, next) {
req.checkBody('key', 'Should have a key').notEmpty()
req.checkBody('data', 'Should have data').notEmpty()
logger.debug('Checking dataToDecrypt parameters', { parameters: { keyLength: req.body.key.length, bodyLength: req.body.data.length } })
checkErrors(req, res, next)
}
function remoteVideos (req, res, next) {
req.checkBody('data').isEachRemoteVideosValid()

View File

@ -108,8 +108,7 @@ function makeRequest (toPod, requestEndpoint, requestsToMake, callback) {
const params = {
toPod: toPod,
encrypt: true, // Security
sign: true, // To prove our identity
sign: true, // Prove our identity
method: 'POST',
path: '/api/' + constants.API_VERSION + '/remote/' + requestEndpoint,
data: requestsToMake // Requests we need to make