Actor public key specifies whether it's shared
Shared key means the key is used for multiple actors. I'm not sure explicitly specifying this will be necessary, but I prefer to have it in place to help with debugging in case something unexpected comes from other servers, or my format overlaps with stuff used in other software and encodes a different meaning. Each public key can specify whether it's shared or personal, and this patch checks for that when verifying a request signature. It rejects shared keys, accepting valid sigs only from personal keys. Very soon I'll add shared key support.
This commit is contained in:
parent
991296faa1
commit
21c8df1251
3 changed files with 20 additions and 13 deletions
|
@ -584,6 +584,9 @@ instance YesodHttpSig App where
|
||||||
then Right ()
|
then Right ()
|
||||||
else Left "Actor ID doesn't match the keyid URI we fetched"
|
else Left "Actor ID doesn't match the keyid URI we fetched"
|
||||||
let pkey = actorPublicKey actor
|
let pkey = actorPublicKey actor
|
||||||
|
if publicKeyShared pkey
|
||||||
|
then Left "Actor's publicKey is shared, we're rejecting it!"
|
||||||
|
else Right ()
|
||||||
if publicKeyId pkey == u
|
if publicKeyId pkey == u
|
||||||
then Right ()
|
then Right ()
|
||||||
else Left "Actor's publicKey's ID doesn't match the keyid URI"
|
else Left "Actor's publicKey's ID doesn't match the keyid URI"
|
||||||
|
|
|
@ -154,10 +154,11 @@ getPersonR shr = do
|
||||||
, actorUsername = shr2text shr
|
, actorUsername = shr2text shr
|
||||||
, actorInbox = route2uri InboxR
|
, actorInbox = route2uri InboxR
|
||||||
, actorPublicKey = PublicKey
|
, actorPublicKey = PublicKey
|
||||||
{ publicKeyId = me { uriFragment = "#key" }
|
{ publicKeyId = me { uriFragment = "#key" }
|
||||||
, publicKeyOwner = me
|
, publicKeyOwner = me
|
||||||
, publicKeyPem = PEM "PUBLIC KEY" [] actorKey
|
, publicKeyPem = PEM "PUBLIC KEY" [] actorKey
|
||||||
, publicKeyAlgo = Just AlgorithmEd25519
|
, publicKeyAlgo = Just AlgorithmEd25519
|
||||||
|
, publicKeyShared = False
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -108,10 +108,11 @@ instance ToJSON Algorithm where
|
||||||
AlgorithmOther t -> t
|
AlgorithmOther t -> t
|
||||||
|
|
||||||
data PublicKey = PublicKey
|
data PublicKey = PublicKey
|
||||||
{ publicKeyId :: URI
|
{ publicKeyId :: URI
|
||||||
, publicKeyOwner :: URI
|
, publicKeyOwner :: URI
|
||||||
, publicKeyPem :: PEM
|
, publicKeyPem :: PEM
|
||||||
, publicKeyAlgo :: Maybe Algorithm
|
, publicKeyAlgo :: Maybe Algorithm
|
||||||
|
, publicKeyShared :: Bool
|
||||||
}
|
}
|
||||||
|
|
||||||
instance FromJSON PublicKey where
|
instance FromJSON PublicKey where
|
||||||
|
@ -121,6 +122,7 @@ instance FromJSON PublicKey where
|
||||||
<*> (parseHttpsURI =<< o .: "owner")
|
<*> (parseHttpsURI =<< o .: "owner")
|
||||||
<*> (parsePEM =<< o .: "publicKeyPem")
|
<*> (parsePEM =<< o .: "publicKeyPem")
|
||||||
<*> o .:? (frg <> "algorithm")
|
<*> o .:? (frg <> "algorithm")
|
||||||
|
<*> o .:? (frg <> "shared") .!= False
|
||||||
where
|
where
|
||||||
parsePEM t =
|
parsePEM t =
|
||||||
case pemParseBS $ encodeUtf8 t of
|
case pemParseBS $ encodeUtf8 t of
|
||||||
|
@ -133,12 +135,13 @@ instance FromJSON PublicKey where
|
||||||
|
|
||||||
instance ToJSON PublicKey where
|
instance ToJSON PublicKey where
|
||||||
toJSON = error "toJSON PublicKey"
|
toJSON = error "toJSON PublicKey"
|
||||||
toEncoding (PublicKey id_ owner pem malgo) =
|
toEncoding (PublicKey id_ owner pem malgo shared) =
|
||||||
pairs
|
pairs
|
||||||
$ "id" .= renderURI id_
|
$ "id" .= renderURI id_
|
||||||
<> "owner" .= renderURI owner
|
<> "owner" .= renderURI owner
|
||||||
<> "publicKeyPem" .= decodeUtf8 (pemWriteBS pem)
|
<> "publicKeyPem" .= decodeUtf8 (pemWriteBS pem)
|
||||||
<> maybe mempty ((frg <> "algorithm") .=) malgo
|
<> (frg <> "algorithm") .=? malgo
|
||||||
|
<> (frg <> "shared") .= shared
|
||||||
|
|
||||||
data Actor = Actor
|
data Actor = Actor
|
||||||
{ actorId :: URI
|
{ actorId :: URI
|
||||||
|
|
Loading…
Reference in a new issue