Actor public key specifies whether it's shared

Shared key means the key is used for multiple actors. I'm not sure explicitly
specifying this will be necessary, but I prefer to have it in place to help
with debugging in case something unexpected comes from other servers, or my
format overlaps with stuff used in other software and encodes a different
meaning.

Each public key can specify whether it's shared or personal, and this patch
checks for that when verifying a request signature. It rejects shared keys,
accepting valid sigs only from personal keys.

Very soon I'll add shared key support.
This commit is contained in:
fr33domlover 2019-02-03 11:12:18 +00:00
parent 991296faa1
commit 21c8df1251
3 changed files with 20 additions and 13 deletions

View file

@ -584,6 +584,9 @@ instance YesodHttpSig App where
then Right () then Right ()
else Left "Actor ID doesn't match the keyid URI we fetched" else Left "Actor ID doesn't match the keyid URI we fetched"
let pkey = actorPublicKey actor let pkey = actorPublicKey actor
if publicKeyShared pkey
then Left "Actor's publicKey is shared, we're rejecting it!"
else Right ()
if publicKeyId pkey == u if publicKeyId pkey == u
then Right () then Right ()
else Left "Actor's publicKey's ID doesn't match the keyid URI" else Left "Actor's publicKey's ID doesn't match the keyid URI"

View file

@ -158,6 +158,7 @@ getPersonR shr = do
, publicKeyOwner = me , publicKeyOwner = me
, publicKeyPem = PEM "PUBLIC KEY" [] actorKey , publicKeyPem = PEM "PUBLIC KEY" [] actorKey
, publicKeyAlgo = Just AlgorithmEd25519 , publicKeyAlgo = Just AlgorithmEd25519
, publicKeyShared = False
} }
} }

View file

@ -112,6 +112,7 @@ data PublicKey = PublicKey
, publicKeyOwner :: URI , publicKeyOwner :: URI
, publicKeyPem :: PEM , publicKeyPem :: PEM
, publicKeyAlgo :: Maybe Algorithm , publicKeyAlgo :: Maybe Algorithm
, publicKeyShared :: Bool
} }
instance FromJSON PublicKey where instance FromJSON PublicKey where
@ -121,6 +122,7 @@ instance FromJSON PublicKey where
<*> (parseHttpsURI =<< o .: "owner") <*> (parseHttpsURI =<< o .: "owner")
<*> (parsePEM =<< o .: "publicKeyPem") <*> (parsePEM =<< o .: "publicKeyPem")
<*> o .:? (frg <> "algorithm") <*> o .:? (frg <> "algorithm")
<*> o .:? (frg <> "shared") .!= False
where where
parsePEM t = parsePEM t =
case pemParseBS $ encodeUtf8 t of case pemParseBS $ encodeUtf8 t of
@ -133,12 +135,13 @@ instance FromJSON PublicKey where
instance ToJSON PublicKey where instance ToJSON PublicKey where
toJSON = error "toJSON PublicKey" toJSON = error "toJSON PublicKey"
toEncoding (PublicKey id_ owner pem malgo) = toEncoding (PublicKey id_ owner pem malgo shared) =
pairs pairs
$ "id" .= renderURI id_ $ "id" .= renderURI id_
<> "owner" .= renderURI owner <> "owner" .= renderURI owner
<> "publicKeyPem" .= decodeUtf8 (pemWriteBS pem) <> "publicKeyPem" .= decodeUtf8 (pemWriteBS pem)
<> maybe mempty ((frg <> "algorithm") .=) malgo <> (frg <> "algorithm") .=? malgo
<> (frg <> "shared") .= shared
data Actor = Actor data Actor = Actor
{ actorId :: URI { actorId :: URI