diff --git a/spec/AuthenticationAdapters.spec.js b/spec/AuthenticationAdapters.spec.js index ca2d35363d..5c0123f3b7 100644 --- a/spec/AuthenticationAdapters.spec.js +++ b/spec/AuthenticationAdapters.spec.js @@ -1652,8 +1652,41 @@ describe('apple signin auth adapter', () => { describe('Apple Game Center Auth adapter', () => { const gcenter = require('../lib/Adapters/Auth/gcenter'); - + const fs = require('fs'); + const testCert = fs.readFileSync(__dirname + '/support/cert/game_center.pem'); + it('can load adapter', async () => { + const options = { + gcenter: { + rootCertificateUrl: + 'https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem', + }, + }; + const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter( + 'gcenter', + options + ); + await adapter.validateAppId( + appIds, + { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' }, + providerOptions + ); + }); it('validateAuthData should validate', async () => { + const options = { + gcenter: { + rootCertificateUrl: + 'https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem', + }, + }; + const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter( + 'gcenter', + options + ); + await adapter.validateAppId( + appIds, + { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' }, + providerOptions + ); // real token is used const authData = { id: 'G:1965586982', @@ -1664,29 +1697,49 @@ describe('Apple Game Center Auth adapter', () => { salt: 'DzqqrQ==', bundleId: 'cloud.xtralife.gamecenterauth', }; - + gcenter.cache['https://static.gc.apple.com/public-key/gc-prod-4.cer'] = testCert; await gcenter.validateAuthData(authData); }); it('validateAuthData invalid signature id', async () => { + const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter( + 'gcenter', + {} + ); + await adapter.validateAppId( + appIds, + { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' }, + providerOptions + ); const authData = { id: 'G:1965586982', - publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer', + publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-6.cer', timestamp: 1565257031287, signature: '1234', salt: 'DzqqrQ==', - bundleId: 'cloud.xtralife.gamecenterauth', + bundleId: 'com.example.com', }; - - try { - await gcenter.validateAuthData(authData); - fail(); - } catch (e) { - expect(e.message).toBe('Apple Game Center - invalid signature'); - } + await expectAsync(gcenter.validateAuthData(authData)).toBeRejectedWith( + new Parse.Error(Parse.Error.SCRIPT_FAILED, 'Apple Game Center - invalid signature') + ); }); it('validateAuthData invalid public key http url', async () => { + const options = { + gcenter: { + rootCertificateUrl: + 'https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem', + }, + }; + const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter( + 'gcenter', + options + ); + await adapter.validateAppId( + appIds, + { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' }, + providerOptions + ); const publicKeyUrls = [ 'example.com', 'http://static.gc.apple.com/public-key/gc-prod-4.cer', @@ -1714,6 +1767,78 @@ describe('Apple Game Center Auth adapter', () => { ) ); }); + + it('should not validate Symantec Cert', async () => { + const options = { + gcenter: { + rootCertificateUrl: + 'https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem', + }, + }; + const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter( + 'gcenter', + options + ); + await adapter.validateAppId( + appIds, + { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' }, + providerOptions + ); + expect(() => + gcenter.verifyPublicKeyIssuer( + testCert, + 'https://static.gc.apple.com/public-key/gc-prod-4.cer' + ) + ); + }); + + it('adapter should load default cert', async () => { + const options = { + gcenter: {}, + }; + const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter( + 'gcenter', + options + ); + await adapter.validateAppId( + appIds, + { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' }, + providerOptions + ); + const previous = new Date(); + await adapter.validateAppId( + appIds, + { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' }, + providerOptions + ); + + const duration = new Date().getTime() - previous.getTime(); + expect(duration).toEqual(0); + }); + + it('adapter should throw', async () => { + const options = { + gcenter: { + rootCertificateUrl: 'https://example.com', + }, + }; + const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter( + 'gcenter', + options + ); + await expectAsync( + adapter.validateAppId( + appIds, + { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' }, + providerOptions + ) + ).toBeRejectedWith( + new Parse.Error( + Parse.Error.OBJECT_NOT_FOUND, + 'Apple Game Center auth adapter parameter `rootCertificateURL` is invalid.' + ) + ); + }); }); describe('phant auth adapter', () => { diff --git a/src/Adapters/Auth/gcenter.js b/src/Adapters/Auth/gcenter.js index 5cd8e8affc..dde5bd6625 100644 --- a/src/Adapters/Auth/gcenter.js +++ b/src/Adapters/Auth/gcenter.js @@ -14,7 +14,8 @@ const authData = { const { Parse } = require('parse/node'); const crypto = require('crypto'); const https = require('https'); - +const { pki } = require('node-forge'); +const ca = { cert: null, url: null }; const cache = {}; // (publicKey -> cert) cache function verifyPublicKeyUrl(publicKeyUrl) { @@ -52,39 +53,52 @@ async function getAppleCertificate(publicKeyUrl) { path: url.pathname, method: 'HEAD', }; - const headers = await new Promise((resolve, reject) => + const cert_headers = await new Promise((resolve, reject) => https.get(headOptions, res => resolve(res.headers)).on('error', reject) ); if ( - headers['content-type'] !== 'application/pkix-cert' || - headers['content-length'] == null || - headers['content-length'] > 10000 + cert_headers['content-type'] !== 'application/pkix-cert' || + cert_headers['content-length'] == null || + cert_headers['content-length'] > 10000 ) { throw new Parse.Error( Parse.Error.OBJECT_NOT_FOUND, `Apple Game Center - invalid publicKeyUrl: ${publicKeyUrl}` ); } + const {certificate, headers} = await getCertificate(publicKeyUrl); + if (headers['cache-control']) { + const expire = headers['cache-control'].match(/max-age=([0-9]+)/); + if (expire) { + cache[publicKeyUrl] = certificate; + // we'll expire the cache entry later, as per max-age + setTimeout(() => { + delete cache[publicKeyUrl]; + }, parseInt(expire[1], 10) * 1000); + } + } + return verifyPublicKeyIssuer(certificate, publicKeyUrl); +} + +function getCertificate(url, buffer) { return new Promise((resolve, reject) => { https - .get(publicKeyUrl, res => { - let data = ''; + .get(url, res => { + const data = []; res.on('data', chunk => { - data += chunk.toString('base64'); + data.push(chunk); }); res.on('end', () => { - const cert = convertX509CertToPEM(data); - if (res.headers['cache-control']) { - var expire = res.headers['cache-control'].match(/max-age=([0-9]+)/); - if (expire) { - cache[publicKeyUrl] = cert; - // we'll expire the cache entry later, as per max-age - setTimeout(() => { - delete cache[publicKeyUrl]; - }, parseInt(expire[1], 10) * 1000); - } + if (buffer) { + resolve({certificate: Buffer.concat(data), headers: res.headers}); + return; } - resolve(cert); + let cert = ''; + for (const chunk of data) { + cert += chunk.toString('base64'); + } + const certificate = convertX509CertToPEM(cert); + resolve({certificate, headers: res.headers}); }); }) .on('error', reject); @@ -115,6 +129,27 @@ function verifySignature(publicKey, authData) { } } +function verifyPublicKeyIssuer(cert, publicKeyUrl) { + const publicKeyCert = pki.certificateFromPem(cert); + if (!ca.cert) { + throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Apple Game Center auth adapter parameter `rootCertificateURL` is invalid.'); + } + try { + if (!ca.cert.verify(publicKeyCert)) { + throw new Parse.Error( + Parse.Error.OBJECT_NOT_FOUND, + `Apple Game Center - invalid publicKeyUrl: ${publicKeyUrl}` + ); + } + } catch (e) { + throw new Parse.Error( + Parse.Error.OBJECT_NOT_FOUND, + `Apple Game Center - invalid publicKeyUrl: ${publicKeyUrl}` + ); + } + return cert; +} + // Returns a promise that fulfills if this user id is valid. async function validateAuthData(authData) { if (!authData.id) { @@ -126,11 +161,27 @@ async function validateAuthData(authData) { } // Returns a promise that fulfills if this app id is valid. -function validateAppId() { - return Promise.resolve(); +async function validateAppId(appIds, authData, options = {}) { + if (!options.rootCertificateUrl) { + options.rootCertificateUrl = 'https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem' + } + if (ca.url === options.rootCertificateUrl) { + return; + } + const {certificate, headers} = await getCertificate(options.rootCertificateUrl, true); + if ( + headers['content-type'] !== 'application/x-pem-file' || + headers['content-length'] == null || + headers['content-length'] > 10000 + ) { + throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Apple Game Center auth adapter parameter `rootCertificateURL` is invalid.'); + } + ca.cert = pki.certificateFromPem(certificate); + ca.url = options.rootCertificateUrl } module.exports = { validateAppId, validateAuthData, + cache, };