3

我正在尝试按照Node.js 中的描述实现 Safari 推送通知,以便在 Google Cloud Function 中运行

我正在尝试使用forge创建分离的 PKCS#7 签名,但我的"Signature verification of push package failed"日志记录端点上总是出现错误。我尝试signature以 DER 和 PEM 格式对它们进行编码,但均未成功。基于 Apple 的 PHP 示例,他们想要 DER。我也尝试过使用该safari push notifications 软件包但没有成功。

这是代码:

import * as functions from "firebase-functions";
import * as admin from "firebase-admin";
import fs from "fs";
import path from "path";
import express from "express";
import crypto from "crypto";
import forge from "node-forge";
import archiver from "archiver";

const app = express();

const iconFiles = [
    "icon_16x16.png",
    "icon_16x16@2x.png",
    "icon_32x32.png",
    "icon_32x32@2x.png",
    "icon_128x128.png",
    "icon_128x128@2x.png",
];

const websiteJson = {
    websiteName: "...",
    websitePushID: "web.<...>",
    allowedDomains: ["..."],
    urlFormatString: "...",
    authenticationToken: "...",
    webServiceURL: "...",
};

const p12Asn1 = forge.asn1.fromDer(fs.readFileSync("./certs/apple_push.p12", 'binary'));
const p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1, functions.config().safari.keypassword);

const certBags = p12.getBags({bagType: forge.pki.oids.certBag});
const certBag = certBags[forge.pki.oids.certBag];
const cert = certBag[0].cert;

const keyBags = p12.getBags({bagType: forge.pki.oids.pkcs8ShroudedKeyBag});
const keyBag = keyBags[forge.pki.oids.pkcs8ShroudedKeyBag];
const key = keyBag[0].key;

const intermediate = forge.pki.certificateFromPem(fs.readFileSync("./certs/intermediate.pem", "utf8"));

app.post("/:version/pushPackages/:websitePushId", async (req, res) => {
    if (!cert) {
        console.log("cert is null");

        res.sendStatus(500);
        return;
    }

    if (!key) {
        console.log("key is null");

        res.sendStatus(500);
        return;
    }

    const iconSourceDir = "...";

    res.attachment("pushpackage.zip");

    const archive = archiver("zip");

    archive.on("error", function (err) {
        res.status(500).send({ error: err.message });
        return;
    });

    archive.on("warning", function (err) {
        if (err.code === "ENOENT") {
            console.log(`Archive warning ${err}`);
        } else {
            throw err;
        }
    });

    archive.on("end", function () {
        console.log("Archive wrote %d bytes", archive.pointer());
    });

    archive.pipe(res);

    archive.directory(iconSourceDir, "icon.iconset");

    const manifest: {
        [key: string]: { hashType: string; hashValue: string };
    } = {};

    const readPromises: Promise<void>[] = [];

    iconFiles.forEach((i) =>
        readPromises.push(
            new Promise((resolve, reject) => {
                const hash = crypto.createHash("sha512");
                const readStream = fs.createReadStream(
                    path.join(iconSourceDir, i),
                    { encoding: "utf8" }
                );

                readStream.on("data", (chunk) => {
                    hash.update(chunk);
                });

                readStream.on("end", () => {
                    const digest = hash.digest("hex");
                    manifest[`icon.iconset/${i}`] = {
                        hashType: "sha512",
                        hashValue: `${digest}`,
                    };
                    resolve();
                });

                readStream.on("error", (err) => {
                    console.log(`Error on readStream for ${i}; ${err}`);
                    reject();
                });
            })
        )
    );

    try {
        await Promise.all(readPromises);
    } catch (error) {
        console.log(`Error writing files; ${error}`);

        res.sendStatus(500);
        return;
    }

    const webJSON = {
        ...websiteJson,
        ...{ authenticationToken: "..." },
    };
    const webHash = crypto.createHash("sha512");

    const webJSONString = JSON.stringify(webJSON);

    webHash.update(webJSONString);

    manifest["website.json"] = {
        hashType: "sha512",
        hashValue: `${webHash.digest("hex")}`,
    };

    const manifestJSONString = JSON.stringify(manifest);

    archive.append(webJSONString, { name: "website.json" });
    archive.append(manifestJSONString, { name: "manifest.json" });

    const p7 = forge.pkcs7.createSignedData();
    p7.content = forge.util.createBuffer(manifestJSONString, "utf8");
    p7.addCertificate(cert);
    p7.addCertificate(intermediate);
    p7.addSigner({
        // @ts-ignore
        key,
        certificate: cert,
        digestAlgorithm: forge.pki.oids.sha256,
        authenticatedAttributes: [{
            type: forge.pki.oids.contentType,
            value: forge.pki.oids.data
          }, {
            type: forge.pki.oids.messageDigest
          }, {
            type: forge.pki.oids.signingTime,
            value: new Date().toString()
          }]
    });
    p7.sign({ detached: true });

    const pem = forge.pkcs7.messageToPem(p7);
    archive.append(Buffer.from(pem, 'binary'), { name: "signature" });

    // Have also tried this:
    // archive.append(forge.asn1.toDer(p7.toAsn1()).getBytes(), { name: "signature" });

    try {
        await archive.finalize();
    } catch (error) {
        console.log(`Error on archive.finalize(); ${error}`);

        res.sendStatus(500);
        return;
    }
});

当我下载并解压缩我的包时,我运行以下命令:

openssl smime -verify -in signature -content manifest.json -inform der -noverify

它返回:Verification successful

关于我哪里出错的任何建议?

4

1 回答 1

1

在测试了所有内容之后,使用相同的签名方法,我做到了。没有了"Signature verification of push package failed"

由于我在本地检查时也获得了“有效签名”,因此我开始在其他地方寻找根本原因(而不是专注于节点伪造代码)。

有些事情我认为很重要(我在做了一堆更改后尝试了,所以我不确定哪个是解决方案):

1.首先,检查Web Push Id。 确保websitePushID您的签名与您在 Applewebsite.json创建签名时键入的准确匹配。Web Push Certificate我是从网络本身发出的 REST 请求中获取它的,但我完全忘记了这一点,所以在来自网络的调用中,我使用的变体与用于证书的变体不同。(仔细检查下面的 javacript 代码):

window.safari.pushNotification.requestPermission(
            'https://...',
            WEB_PUSH_ID,  <--- THIS must match p12 cert web id. The Website Push ID.
            {},
            checkRemotePermission         // The callback function.
        );

另外,它website.json本身:

const websiteJson = { 
    websiteName: "...",
    websitePushID: WEB_PUSH_ID, // <--- THIS must match p12 cert web id. The Website Push ID.
    allowedDomains: ["..."],
    urlFormatString: "...",
    authenticationToken: "...",
    webServiceURL: "...",
};

2.放置适当的图标资源 可能不是原因,但出于测试目的,我使用了相同的图标,重命名了6次,没有缩放。我刚刚为每种尺寸创建了适当的资产。

3. 最后,我用于签名生成的代码片段 以防万一。(请注意,我删除了所有额外的 ``,但可能不是这样,因为我之前得到了相同的结果。

function signature(manifestData, certOrCertPem, privateKeyAssociatedWithCert)
{
    //A. load the WWWDC cert, always the same
    var intermediateBinnary = fs.readFileSync(Path.resolve('.') + '/AppleWWDRCA.pem', 'utf8')
    //console.log('pem wwwdc ', intermediateBinnary);
    //B. continue signing
    var p7 = forge.pkcs7.createSignedData();
    p7.content = forge.util.createBuffer(manifestData, 'utf8');
    p7.addCertificate(certOrCertPem);
    p7.addSigner({
        key: privateKeyAssociatedWithCert,
        certificate: certOrCertPem,
        digestAlgorithm: forge.pki.oids.sha256
    });
    p7.addCertificate(intermediateBinnary);
    p7.sign({detached: true});
    //console.log('p7: ',p7)

    var pem = forge.pkcs7.messageToPem(p7);
    console.log('pem: ',pem)

    // var lines = pem.split('\n')
    // console.log('lines ',lines);

    // We need to turn into DER according to Apple (sure there are better ways tho)
    var preDer = pem.replace('-----BEGIN PKCS7-----\r\n','');
    preDer = preDer.replace('\r\n-----END PKCS7-----','');
    //console.log('-+pem: ',preDer)

    // var lines = preDer.split('\n')
    // console.log('lines ',lines);

    return preDer;
}


// I call this signature method from:
...

var contentSignature = signature(contentManifestString, certPem, privatePem);
var bufferFromPem = Buffer.from(contentSignature, 'base64'); 
...
// Just add the bufferFromPem to a file

4. 还有一件事。 可能不相关,因为您似乎可以毫无问题地提取包、证书和密钥;但是由于我挣扎,变得空虚和未定义,我将离开这里我是如何做到的

    // Prepare
    var p12 = fs.readFileSync(Path.resolve('.') + '/Cert.p12', 'binary');
    var p12Asn1 = forge.asn1.fromDer(p12, false);
    var p12Parsed = forge.pkcs12.pkcs12FromAsn1(p12Asn1, false, 'HERE_PASSWORD'); 

    // extract bags: https://github.com/digitalbazaar/forge/issues/533
    const keyData = p12Parsed.getBags({ bagType: forge.pki.oids.pkcs8ShroudedKeyBag })[forge.pki.oids.pkcs8ShroudedKeyBag]
                    .concat(p12Parsed.getBags({ bagType: forge.pki.oids.keyBag })[forge.pki.oids.keyBag]);
    const certBags = p12Parsed.getBags({ bagType: forge.pki.oids.certBag })[forge.pki.oids.certBag];
    
    // convert a Forge private key to an ASN.1 RSAPrivateKey
    var rsaPrivateKey = forge.pki.privateKeyToAsn1(keyData[0].key);
    // wrap an RSAPrivateKey ASN.1 object in a PKCS#8 ASN.1 PrivateKeyInfo
    var privateKeyInfo = forge.pki.wrapRsaPrivateKey(rsaPrivateKey);
    // convert a PKCS#8 ASN.1 PrivateKeyInfo to PEM
    var privatePem = forge.pki.privateKeyInfoToPem(privateKeyInfo); // <- KEY
    // Get cert as well (pem)
    var certPem = forge.pki.certificateToPem(certBags[0].cert); // <- CERT
于 2021-01-15T10:17:49.060 回答