Add ed25519 webhook payload signing support#195
Open
MishkaRogachev wants to merge 3 commits into
Open
Conversation
MishkaRogachev
force-pushed
the
add-ed25519-webhook-payload-signing-support
branch
from
31d03c7 to
d0c9796
Compare
MishkaRogachev
force-pushed
the
add-ed25519-webhook-payload-signing-support
branch
from
d0c9796 to
46649dc
Compare
There was a problem hiding this comment.
Pull request overview
Adds Ed25519-based signing for filtering-report webhook payloads in the testnode environment by generating a self-signed certificate, wiring it into filtering-report’s report-forwarder config, and enforcing signature verification in the report receiver.
Changes:
- Add an
init-filtering-report-signerscript command to mint a self-signed Ed25519 cert/keypair into/config. - Update filtering-report config generation to include
report-forwarder.signer.pem-file. - Update the report receiver to verify signed payloads and reject invalid/unsigned requests with 401; add required dependencies for cert generation.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
test-node.bash |
Runs signer initialization when --filteringreport is enabled during init. |
scripts/package.json |
Adds @peculiar/x509 and reflect-metadata dependencies for cert generation. |
scripts/yarn.lock |
Locks new transitive dependencies for X.509 / DI support. |
scripts/index.ts |
Registers the new init-filtering-report-signer command with yargs. |
scripts/consts.ts |
Adds /config paths for signer private+cert PEM and pinned public cert PEM. |
scripts/config.ts |
Writes signer config, generates Ed25519 certs, and verifies signatures in serve-report-receiver. |
docker-compose.yaml |
Mounts the shared config volume into report-receiver to access pinned cert. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+1178
to
+1194
| function verifyReportSignature(req: any, rawBody: Buffer, signerKey: crypto.KeyObject) { | ||
| const sigHeader = req.headers['x-signature'] as string; | ||
| const tsHeader = req.headers['x-signature-timestamp'] as string; | ||
| if (!sigHeader || !tsHeader) { | ||
| throw new Error('missing signature headers'); | ||
| } | ||
|
|
||
| const tsSeconds = Number(tsHeader); | ||
| if (!Number.isFinite(tsSeconds) || Math.abs(Date.now() - tsSeconds * 1000) > REPORT_SIGNATURE_SKEW_MS) { | ||
| throw new Error('timestamp outside tolerance'); | ||
| } | ||
|
|
||
| const payload = Buffer.concat([Buffer.from(`${tsHeader}.`), rawBody] as Uint8Array[]); | ||
| if (!crypto.verify(null, payload as Uint8Array, signerKey, Buffer.from(sigHeader, 'base64') as Uint8Array)) { | ||
| throw new Error('signature verification failed'); | ||
| } | ||
| } |
Comment on lines
1200
to
+1201
| const http = require('http'); | ||
| const signerKey = new crypto.X509Certificate(fs.readFileSync(consts.filteringReportSignerPubPath) as Uint8Array).publicKey; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes NIT-4848
Add Ed25519 webhook payload signing to the filtering-report:
init-filtering-report-signer commandto mint a self-signed Ed25519 certificatewrite-filtering-report-configwires report-forwarder.signer.pem-file.@peculiar/x509+reflect-metadatadependencies for cert generation