Commit graph

62 commits

Author SHA1 Message Date
fr33domlover
e325175a9c Publish 2 rotating instance-scope keys instead of the one-implicitly-shared-key
Before, there was a single key used as a personal key for all actors. Now,
things work like this:

- There are 2 keys, each time one is rotated, this way the old key remains
  valid and we can freely rotate without a risk of race conditions on other
  servers and end up with our posts being rejected
- The keys are explicitly instance-scope keys, all actors refer to them
- We add the ActivityPub-Actor header to all activity POSTs we send, to declare
  for which specific actor our signature applies. Activities and otherwise
  different payloads may have varying ways to specify attribution; using this
  header will be a standard uniform way to specify the actor, regardless of
  payload format. Of course, servers should make sure the actual activity is
  attributed to the same actor we specified in the header. (This is important
  with instance-scope keys; for personal keys it's not critical)
2019-02-07 10:34:33 +00:00
fr33domlover
8166d5b5eb Support for instance-scope keys when verifying HTTP signature 2019-02-06 02:48:23 +00:00
fr33domlover
400245cf34 Accept HTTP signatures made with shared instance-scope actor keys 2019-02-05 13:02:15 +00:00
fr33domlover
c2c4e24497 Support actor key expiration
Allow keys to specify expiration time using w3c security vocabulary. If a key
has expired, we treat it like sig validation failure and re-fetch the key from
the other server. And we never accept a sig, even a valid sig, if the key has
expired.

Since servers keep actors and keys in the DB, expiration can be a nice way to
ask that keys aren't used more than we want them to. The security vocab spec
also recommends to set expiration time on keys, so it's nice to support this
feature.
2019-02-05 04:05:44 +00:00
fr33domlover
37b3416a41 Support remote actors specifying 2 keys, and DB storage of these keys
It's now possible for activities we be attributed to actors that have more than
one key. We allow up to 2 keys. We also store in the DB. Scaling to support any
number of keys is trivial, but I'm limiting to 2 to avoid potential trouble and
because 2 is the actual number we need.

By having 2 keys, and replacing only one of them in each rotation, we avoid
race conditions. With 1 key, the following can happen:

1. We send an activity to another server
2. We rotate our key
3. The server reaches the activity in its processing queue, tries to verify our
   request signature, but fails because it can't fetch the key. It's the old
   key and we discarded it already, replaced it with the new one

When we use 2 keys, the previous key remains available and other servers have
time to finish processing our requests signed with that key. We can safely
rotate, without worrying about whether the user sent anything right before the
rotation time.

Caveat: With this feature, we allow OTHER servers to rotate freely. It's safe
because it's optional, but it's just Vervis right now. Once Vervis itself
starts using 2 keys, it will be able to rotate freely without race condition
risk, but probably Mastodon etc. won't accept its signatures because of the use
of 2 keys and because they're server-scope keys.

Maybe I can get these features adopted by the fediverse?
2019-02-04 19:38:50 +00:00
fr33domlover
02da508ed0 Allow actor publicKey to be a URI, and require the URI to match the Sig keyId 2019-02-04 10:07:25 +00:00
fr33domlover
c336d56036 Allow actor public key to be in a separate document 2019-02-03 23:39:56 +00:00
fr33domlover
21c8df1251 Actor public key specifies whether it's shared
Shared key means the key is used for multiple actors. I'm not sure explicitly
specifying this will be necessary, but I prefer to have it in place to help
with debugging in case something unexpected comes from other servers, or my
format overlaps with stuff used in other software and encodes a different
meaning.

Each public key can specify whether it's shared or personal, and this patch
checks for that when verifying a request signature. It rejects shared keys,
accepting valid sigs only from personal keys.

Very soon I'll add shared key support.
2019-02-03 11:12:18 +00:00
fr33domlover
991296faa1 Move some JSON/AP codec utils to new Data.Aeson.Local module 2019-02-03 11:01:36 +00:00
fr33domlover
e6f987817e Fix: HTTP signature wasn't being sent in AP POSTs 2019-02-03 10:59:35 +00:00
fr33domlover
04e26a911d In httpGetAP, if we got an unexpected Content-Type, specify it in error message 2019-01-21 22:24:09 +00:00
fr33domlover
1f47ca39eb Federation test outbox page with form for entering JSON 2019-01-21 15:54:57 +00:00