Validate cert & key on set

Author: 3nprob

package-lock.json

@@ -5,7 +5,7 @@
   "main": "app.js",
   "bin": "./bin/matrix-appservice-irc",
   "engines": {
-    "node": ">=14"
+    "node": ">=16"
   },
   "scripts": {
     "prepare": "npm run build",
@@ -54,7 +54,7 @@
     "@types/extend": "^3.0.1",
     "@types/he": "^1.1.2",
     "@types/nedb": "^1.8.12",
-    "@types/node": "^14",
+    "@types/node": "^16",
     "@types/nopt": "^3.0.29",
     "@types/pg": "^8.6.4",
     "@types/sanitize-html": "^2.6.2",

package.json

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+import * as crypto from "crypto";
 import { BridgeRequest } from "../models/BridgeRequest";
 import { MatrixRoom, MatrixUser } from "matrix-appservice-bridge";
 import { IrcBridge } from "./IrcBridge";
@@ -601,6 +602,26 @@ export class AdminRoomHandler {
                 );
             }
             else {
+                try {
+                    const pk = crypto.createPrivateKey(key);
+                    const config = await this.ircBridge.getStore().getIrcClientConfig(userId, server.domain);
+                    if (config) {
+                        const cert = config.getSASLCert();
+                        if (cert) {
+                            const c = new crypto.X509Certificate(cert);
+                            if (!c.checkPrivateKey(pk)) {
+                                return new MatrixAction(
+                                    "notice",
+                                    "Private key does not match stored certificate. " +
+                                    "To store a new pair, first call !removecert.\n"
+                                );
+                            }
+                        }
+                    }
+                }
+                catch (err) {
+                    throw new Error(`Invalid private key: ${err.message})`);
+                }
                 await this.ircBridge.getStore().storeKey(userId, domain, key);
                 notice = new MatrixAction(
                     "notice", `Successfully stored SASL key for ${domain}. Use !reconnect to reauthenticate.`
@@ -652,6 +673,22 @@ export class AdminRoomHandler {
                         new MatrixUser(userId), server.domain
                     );
                 }
+                try {
+                    const c = new crypto.X509Certificate(cert);
+                    const pk = config.getSASLKey();
+                    if (pk) {
+                        if (!c.checkPrivateKey(crypto.createPrivateKey(pk))) {
+                            return new MatrixAction(
+                                "notice",
+                                "Certificate does not match stored private key. " +
+                                "To store a new pair, first call !removekey.\n"
+                            );
+                        }
+                    }
+                }
+                catch (err) {
+                    throw new Error(`Invalid certificate: ${err.message})`);
+                }
                 config.setSASLCert(cert);
                 await this.ircBridge.getStore().storeIrcClientConfig(config);
                 notice = new MatrixAction(

src/bridge/AdminRoomHandler.ts

@@ -58,7 +58,7 @@ export class RoomConfig {
         // We don't want to spend too long trying to fetch the state, so return null.
         return Promise.race([
             internalFunc(),
-            new Promise<null>(res => setTimeout(res, STATE_TIMEOUT_MS)),
+            new Promise<null>(res => setTimeout(res as unknown as ((args: void) => void), STATE_TIMEOUT_MS)),
         // We *never* want this function to throw, as it's critical for the bridging of messages.
         // Instead we return null for any errors.
         ]).catch(ex => {