aljaz/cyphernode
1
0
Fork 0
mirror of https://github.com/aljazceru/cyphernode.git synced 2025-12-17 20:55:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fixed hashed msg by openssl in auth.sh, the JS client and the docs

Browse Source
This commit is contained in:
kexkey
2018-10-21 22:35:55 -04:00
parent 4f5ad9a01c
commit 2f3097f4fd
5 changed files with 106 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
api_auth_docker/auth.sh
View File

@@ -39,14 +39,14 @@ verify_sign()
if [ ${exp} -gt ${current} ]; then
trace "[verify_sign] Not expired, let's validate signature"
local id=$(echo ${payload} | jq ".id" | tr -d '"')
trace "[verify_sign] id=${id}"
trace "[verify_sign] id=${id}"
# Check for code injection
# id will usually be an int, but can be alphanum... nothing else
case $id in (*[![:alnum:]]*|"")
trace "[verify_sign] Potential code injection, exiting"
return 1
esac
# Check for code injection
# id will usually be an int, but can be alphanum... nothing else
case $id in (*[![:alnum:]]*|"")
trace "[verify_sign] Potential code injection, exiting"
return 1
esac
# It is so much faster to include the keys here instead of grep'ing the file for key.
. ./keys.properties
@@ -54,8 +54,11 @@ verify_sign()
local key
eval key='$ukey_'$id
trace "[verify_sign] key=${key}"
local comp_sign=$(echo "${header64}.${payload64}" | openssl dgst -hmac "${key}" -sha256 -r | cut -sd ' ' -f1)
local msg="${header64}.${payload64}"
trace "[verify_sign] msg=${msg}"
local comp_sign=$(echo -n "${msg}" | openssl dgst -hmac "${key}" -sha256 -r | cut -sd ' ' -f1)
trace "[verify_sign] comp_sign=${comp_sign}"
if [ "${comp_sign}" = "${signature}" ]; then
@@ -85,14 +88,14 @@ verify_group()
local id=${1}
local action=${REQUEST_URI:1}
trace "[verify_group] action=${action}"
trace "[verify_group] action=${action}"
# Check for code injection
# action can be alphanum... nothing else
case $action in (*[![:alnum:]]*|"")
trace "[verify_group] Potential code injection, exiting"
return 1
esac
# Check for code injection
# action can be alphanum... nothing else
case $action in (*[![:alnum:]]*|"")
trace "[verify_group] Potential code injection, exiting"
return 1
esac
# It is so much faster to include the keys here instead of grep'ing the file for key.
. ./api.properties