fix: certificate in Apple Game Center auth adapter not validated [skip release]

changelogs/CHANGELOG_release.md

@@ -1,3 +1,10 @@
+## [5.2.2](https://github.com/parse-community/parse-server/compare/5.2.1...5.2.2) (2022-06-17)
+
+
+### Bug Fixes
+
+* certificate in Apple Game Center auth adapter not validated; this fixes a security vulnerability in which authentication could be bypassed using a fake certificate; if you are using the Apple Gamer Center auth adapter it is your responsibility to keep its root certificate up-to-date and we advice you read the security advisory ([GHSA-rh9j-f5f8-rvgc](https://github.com/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc)) ([ba2b0a9](https://github.com/parse-community/parse-server/commit/ba2b0a9cb9a568817a114b132a4c2e0911d76df1))
+
 ## [5.2.1](https://github.com/parse-community/parse-server/compare/5.2.0...5.2.1) (2022-05-01)
 
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "parse-server",
-  "version": "5.3.0-beta.1",
+  "version": "5.2.2",
   "description": "An express module providing a Parse-compatible API server",
   "main": "lib/index.js",
   "repository": {

spec/AuthenticationAdapters.spec.js

@@ -1682,7 +1682,41 @@ describe('Apple Game Center Auth adapter', () => {
   const gcenter = require('../lib/Adapters/Auth/gcenter');
   const fs = require('fs');
   const testCert = fs.readFileSync(__dirname + '/support/cert/game_center.pem');
+
+  it('can load adapter', async () => {
+    const options = {
+      gcenter: {
+        rootCertificateUrl:
+          'https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem',
+      },
+    };
+    const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter(
+      'gcenter',
+      options
+    );
+    await adapter.validateAppId(
+      appIds,
+      { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' },
+      providerOptions
+    );
+  });
+
   it('validateAuthData should validate', async () => {
+    const options = {
+      gcenter: {
+        rootCertificateUrl:
+          'https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem',
+      },
+    };
+    const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter(
+      'gcenter',
+      options
+    );
+    await adapter.validateAppId(
+      appIds,
+      { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' },
+      providerOptions
+    );
     // real token is used
     const authData = {
       id: 'G:1965586982',
@@ -1698,6 +1732,15 @@ describe('Apple Game Center Auth adapter', () => {
   });
 
   it('validateAuthData invalid signature id', async () => {
+    const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter(
+      'gcenter',
+      {}
+    );
+    await adapter.validateAppId(
+      appIds,
+      { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' },
+      providerOptions
+    );
     const authData = {
       id: 'G:1965586982',
       publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-6.cer',
@@ -1712,6 +1755,21 @@ describe('Apple Game Center Auth adapter', () => {
   });
 
   it('validateAuthData invalid public key http url', async () => {
+    const options = {
+      gcenter: {
+        rootCertificateUrl:
+          'https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem',
+      },
+    };
+    const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter(
+      'gcenter',
+      options
+    );
+    await adapter.validateAppId(
+      appIds,
+      { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' },
+      providerOptions
+    );
     const publicKeyUrls = [
       'example.com',
       'http://static.gc.apple.com/public-key/gc-prod-4.cer',
@@ -1739,6 +1797,78 @@ describe('Apple Game Center Auth adapter', () => {
       )
     );
   });
+
+  it('should not validate Symantec Cert', async () => {
+    const options = {
+      gcenter: {
+        rootCertificateUrl:
+          'https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem',
+      },
+    };
+    const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter(
+      'gcenter',
+      options
+    );
+    await adapter.validateAppId(
+      appIds,
+      { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' },
+      providerOptions
+    );
+    expect(() =>
+      gcenter.verifyPublicKeyIssuer(
+        testCert,
+        'https://static.gc.apple.com/public-key/gc-prod-4.cer'
+      )
+    );
+  });
+
+  it('adapter should load default cert', async () => {
+    const options = {
+      gcenter: {},
+    };
+    const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter(
+      'gcenter',
+      options
+    );
+    await adapter.validateAppId(
+      appIds,
+      { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' },
+      providerOptions
+    );
+    const previous = new Date();
+    await adapter.validateAppId(
+      appIds,
+      { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' },
+      providerOptions
+    );
+
+    const duration = new Date().getTime() - previous.getTime();
+    expect(duration).toEqual(0);
+  });
+
+  it('adapter should throw', async () => {
+    const options = {
+      gcenter: {
+        rootCertificateUrl: 'https://example.com',
+      },
+    };
+    const { adapter, appIds, providerOptions } = authenticationLoader.loadAuthAdapter(
+      'gcenter',
+      options
+    );
+    await expectAsync(
+      adapter.validateAppId(
+        appIds,
+        { publicKeyUrl: 'https://static.gc.apple.com/public-key/gc-prod-4.cer' },
+        providerOptions
+      )
+    ).toBeRejectedWith(
+      new Parse.Error(
+        Parse.Error.OBJECT_NOT_FOUND,
+        'Apple Game Center auth adapter parameter `rootCertificateURL` is invalid.'
+      )
+    );
+  });
 });
 
 describe('phant auth adapter', () => {

src/Adapters/Auth/gcenter.js

@@ -14,7 +14,8 @@ const authData = {
 const { Parse } = require('parse/node');
 const crypto = require('crypto');
 const https = require('https');
-
+const { pki } = require('node-forge');
+const ca = { cert: null, url: null };
 const cache = {}; // (publicKey -> cert) cache
 
 function verifyPublicKeyUrl(publicKeyUrl) {
@@ -52,39 +53,53 @@ async function getAppleCertificate(publicKeyUrl) {
     path: url.pathname,
     method: 'HEAD',
   };
-  const headers = await new Promise((resolve, reject) =>
+  const cert_headers = await new Promise((resolve, reject) =>
     https.get(headOptions, res => resolve(res.headers)).on('error', reject)
   );
+  const validContentTypes = ['application/x-x509-ca-cert', 'application/pkix-cert'];
   if (
-    headers['content-type'] !== 'application/pkix-cert' ||
-    headers['content-length'] == null ||
-    headers['content-length'] > 10000
+    !validContentTypes.includes(cert_headers['content-type']) ||
+    cert_headers['content-length'] == null ||
+    cert_headers['content-length'] > 10000
   ) {
     throw new Parse.Error(
       Parse.Error.OBJECT_NOT_FOUND,
       `Apple Game Center - invalid publicKeyUrl: ${publicKeyUrl}`
     );
   }
+  const { certificate, headers } = await getCertificate(publicKeyUrl);
+  if (headers['cache-control']) {
+    const expire = headers['cache-control'].match(/max-age=([0-9]+)/);
+    if (expire) {
+      cache[publicKeyUrl] = certificate;
+      // we'll expire the cache entry later, as per max-age
+      setTimeout(() => {
+        delete cache[publicKeyUrl];
+      }, parseInt(expire[1], 10) * 1000);
+    }
+  }
+  return verifyPublicKeyIssuer(certificate, publicKeyUrl);
+}
+
+function getCertificate(url, buffer) {
   return new Promise((resolve, reject) => {
     https
-      .get(publicKeyUrl, res => {
-        let data = '';
+      .get(url, res => {
+        const data = [];
         res.on('data', chunk => {
-          data += chunk.toString('base64');
+          data.push(chunk);
         });
         res.on('end', () => {
-          const cert = convertX509CertToPEM(data);
-          if (res.headers['cache-control']) {
-            var expire = res.headers['cache-control'].match(/max-age=([0-9]+)/);
-            if (expire) {
-              cache[publicKeyUrl] = cert;
-              // we'll expire the cache entry later, as per max-age
-              setTimeout(() => {
-                delete cache[publicKeyUrl];
-              }, parseInt(expire[1], 10) * 1000);
-            }
+          if (buffer) {
+            resolve({ certificate: Buffer.concat(data), headers: res.headers });
+            return;
           }
-          resolve(cert);
+          let cert = '';
+          for (const chunk of data) {
+            cert += chunk.toString('base64');
+          }
+          const certificate = convertX509CertToPEM(cert);
+          resolve({ certificate, headers: res.headers });
         });
       })
       .on('error', reject);
@@ -115,6 +130,30 @@ function verifySignature(publicKey, authData) {
   }
 }
 
+function verifyPublicKeyIssuer(cert, publicKeyUrl) {
+  const publicKeyCert = pki.certificateFromPem(cert);
+  if (!ca.cert) {
+    throw new Parse.Error(
+      Parse.Error.OBJECT_NOT_FOUND,
+      'Apple Game Center auth adapter parameter `rootCertificateURL` is invalid.'
+    );
+  }
+  try {
+    if (!ca.cert.verify(publicKeyCert)) {
+      throw new Parse.Error(
+        Parse.Error.OBJECT_NOT_FOUND,
+        `Apple Game Center - invalid publicKeyUrl: ${publicKeyUrl}`
+      );
+    }
+  } catch (e) {
+    throw new Parse.Error(
+      Parse.Error.OBJECT_NOT_FOUND,
+      `Apple Game Center - invalid publicKeyUrl: ${publicKeyUrl}`
+    );
+  }
+  return cert;
+}
+
 // Returns a promise that fulfills if this user id is valid.
 async function validateAuthData(authData) {
   if (!authData.id) {
@@ -126,8 +165,27 @@ async function validateAuthData(authData) {
 }
 
 // Returns a promise that fulfills if this app id is valid.
-function validateAppId() {
-  return Promise.resolve();
+async function validateAppId(appIds, authData, options = {}) {
+  if (!options.rootCertificateUrl) {
+    options.rootCertificateUrl =
+      'https://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt.pem';
+  }
+  if (ca.url === options.rootCertificateUrl) {
+    return;
+  }
+  const { certificate, headers } = await getCertificate(options.rootCertificateUrl, true);
+  if (
+    headers['content-type'] !== 'application/x-pem-file' ||
+    headers['content-length'] == null ||
+    headers['content-length'] > 10000
+  ) {
+    throw new Parse.Error(
+      Parse.Error.OBJECT_NOT_FOUND,
+      'Apple Game Center auth adapter parameter `rootCertificateURL` is invalid.'
+    );
+  }
+  ca.cert = pki.certificateFromPem(certificate);
+  ca.url = options.rootCertificateUrl;
 }
 
 module.exports = {