Add schemas and functions to query signing keys from servers

This commit is contained in:
Pim Kunis 2021-08-13 00:45:07 +02:00
parent e6b3c4752d
commit fb59fee754
13 changed files with 234 additions and 34 deletions

View file

@ -90,4 +90,23 @@ defmodule MatrixServer do
|> Map.from_struct()
|> Map.drop(waste_fields)
end
def add_signature(object, key_id, sig) when not is_map_key(object, :signatures) do
Map.put(object, :signatures, %{MatrixServer.server_name() => %{key_id => sig}})
end
def add_signature(%{signatures: sigs} = object, key_id, sig) do
new_sigs =
Map.update(sigs, MatrixServer.server_name(), %{key_id => sig}, &Map.put(&1, key_id, sig))
%{object | signatures: new_sigs}
end
def validate_change_simple(changeset, field, func) do
augmented_func = fn _, val ->
if func.(val), do: [], else: [{field, "invalid"}]
end
Ecto.Changeset.validate_change(changeset, field, augmented_func)
end
end

View file

@ -13,7 +13,7 @@ defmodule MatrixServer.Application do
MatrixServerWeb.Endpoint,
{Registry, keys: :unique, name: MatrixServer.RoomServer.Registry},
{DynamicSupervisor, name: MatrixServer.RoomServer.Supervisor, strategy: :one_for_one},
MatrixServer.SigningServer,
MatrixServer.KeyServer,
{Finch, name: MatrixServerWeb.HTTPClient}
]

View file

@ -1,4 +1,4 @@
defmodule MatrixServer.SigningServer do
defmodule MatrixServer.KeyServer do
use GenServer
# TODO: only support one signing key for now.
@ -14,15 +14,15 @@ defmodule MatrixServer.SigningServer do
GenServer.call(__MODULE__, {:sign_object, object})
end
def get_signing_keys(encoded \\ false) do
GenServer.call(__MODULE__, {:get_signing_keys, encoded})
def get_own_signing_keys() do
GenServer.call(__MODULE__, :get_own_signing_keys)
end
## Implementation
@impl true
def init(_opts) do
{public_key, private_key} = get_keys()
{public_key, private_key} = read_keys()
{:ok, %{public_key: public_key, private_key: private_key}}
end
@ -34,10 +34,10 @@ defmodule MatrixServer.SigningServer do
end
end
def handle_call({:get_signing_keys, encoded}, _from, %{public_key: public_key} = state) do
result = if encoded, do: MatrixServer.encode_unpadded_base64(public_key), else: public_key
def handle_call(:get_own_signing_keys, _from, %{public_key: public_key} = state) do
encoded_key = MatrixServer.encode_unpadded_base64(public_key)
{:reply, [{@signing_key_id, result}], state}
{:reply, [{@signing_key_id, encoded_key}], state}
end
# https://blog.swwomm.com/2020/09/elixir-ed25519-signatures-with-enacl.html
@ -53,7 +53,7 @@ defmodule MatrixServer.SigningServer do
end
# TODO: not sure if there is a better way to do this...
defp get_keys do
def read_keys do
raw_priv_key =
Application.get_env(:matrix_server, :private_key_file)
|> File.read!()

View file

@ -42,9 +42,7 @@ defmodule MatrixServer.Device do
def generate_device_id(localpart) do
# TODO: use random string instead
time_string = System.os_time(:millisecond) |> Integer.to_string()
"#{localpart}_#{time_string}"
"#{localpart}_#{System.os_time(:millisecond)}"
end
def login(%Login{} = input, account) do

View file

@ -3,7 +3,7 @@ defmodule MatrixServer.Event do
import Ecto.Query
alias MatrixServer.{Repo, Room, Event, Account, OrderedMap, SigningServer}
alias MatrixServer.{Repo, Room, Event, Account, OrderedMap, KeyServer}
@primary_key {:event_id, :string, []}
schema "events" do
@ -280,7 +280,7 @@ defmodule MatrixServer.Event do
event
|> Map.put(:hashes, %{"sha256" => content_hash})
|> redact()
|> SigningServer.sign_object()
|> KeyServer.sign_object()
end
defp calculate_content_hash(event) do

View file

@ -0,0 +1,80 @@
defmodule MatrixServer.ServerKeyInfo do
use Ecto.Schema
import Ecto.Query
alias MatrixServer.{Repo, ServerKeyInfo, SigningKey}
alias MatrixServerWeb.FederationClient
alias MatrixServerWeb.Federation.Request.GetSigningKeys
alias Ecto.Multi
@primary_key {:server_name, :string, []}
schema "server_key_info" do
field :valid_until, :integer
has_many :signing_keys, SigningKey, foreign_key: :server_name
end
def with_fresh_signing_keys(server_name) do
current_time = System.os_time(:millisecond)
case with_signing_keys(server_name) do
nil ->
# We have not encountered this server before, always request keys.
refresh_signing_keys(server_name)
%ServerKeyInfo{valid_until: valid_until} when valid_until <= current_time ->
# Keys are expired; request fresh ones from server.
refresh_signing_keys(server_name)
ski ->
{:ok, ski}
end
end
defp refresh_signing_keys(server_name) do
in_a_week = System.os_time(:millisecond) + 1000 * 60 * 60 * 24 * 7
client = FederationClient.client(server_name)
with {:ok, %GetSigningKeys{verify_keys: verify_keys, valid_until_ts: valid_until}} <-
FederationClient.get_signing_keys(client) do
signing_keys =
Enum.map(verify_keys, fn {key_id, %{"key" => key}} ->
[server_name: server_name, signing_key_id: key_id, signing_key: key]
end)
# Always check every week to prevent misuse.
ski = %ServerKeyInfo{server_name: server_name, valid_until: min(valid_until, in_a_week)}
case upsert_multi(server_name, ski, signing_keys) |> Repo.transaction() do
{:ok, %{ski: ski}} -> {:ok, ski}
{:error, _} -> :error
end
else
:error ->
:error
end
end
defp upsert_multi(server_name, ski, signing_keys) do
Multi.new()
|> Multi.insert(:ski, ski,
on_conflict: {:replace, [:valid_until]},
conflict_target: [:server_name]
)
|> Multi.insert_all(:insert_keys, SigningKey, signing_keys, on_conflict: :nothing)
|> Multi.run(:ski, fn _, _ ->
case with_signing_keys(server_name) do
nil -> {:error, :ski}
ski -> {:ok, ski}
end
end)
end
defp with_signing_keys(server_name) do
ServerKeyInfo
|> where([ski], ski.server_name == ^server_name)
|> preload([ski], [:signing_keys])
|> Repo.one()
end
end

View file

@ -0,0 +1,33 @@
defmodule MatrixServer.SigningKey do
use Ecto.Schema
import Ecto.Changeset
import Ecto.Query
alias MatrixServer.{Repo, SigningKey, ServerKeyInfo}
@primary_key false
schema "signing_keys" do
field :signing_key_id, :string, primary_key: true
field :signing_key, :binary
belongs_to :server_key_info, ServerKeyInfo,
foreign_key: :server_name,
references: :server_name,
type: :string,
primary_key: true
end
def changeset(signing_key, params \\ %{}) do
signing_key
|> cast(params, [:server_name, :signing_key_id, :signing_key])
|> validate_required([:server_name, :signing_key_id, :signing_key])
|> unique_constraint([:server_name, :signing_key_id], name: :signing_keys_pkey)
end
def for_server(server_name) do
SigningKey
|> where([s], s.server_name == ^server_name)
|> Repo.all()
end
end

View file

@ -1,19 +1,17 @@
defmodule MatrixServerWeb.AuthenticateServer do
import MatrixServerWeb.Plug.Error
alias MatrixServer.SigningServer
alias MatrixServer.SigningKey
@auth_header_regex ~r/^X-Matrix origin=(?<origin>.*),key="(?<key>.*)",sig="(?<sig>.*)"$/
def authenticate(
%Plug.Conn{
def authenticate(%Plug.Conn{
body_params: body_params,
req_headers: headers,
request_path: path,
method: method,
query_string: query_string
}
) do
}) do
object_to_sign = %{
uri: path <> "?" <> URI.decode_www_form(query_string),
method: method,
@ -32,13 +30,16 @@ defmodule MatrixServerWeb.AuthenticateServer do
headers
|> parse_authorization_headers()
|> Enum.find(:error, fn {origin, _, sig} ->
# TODO: fetch actual signing keys for origin from cache/key store.
{_, signing_key} = SigningServer.get_signing_keys() |> hd()
object = object_fun.(origin)
with {:ok, raw_sig} <- MatrixServer.decode_base64(sig),
{:ok, encoded_object} <- MatrixServer.encode_canonical_json(object) do
# TODO: Only query once per origin.
# TODO: Handle expired keys.
SigningKey.for_server(origin)
|> Enum.find_value(false, fn %SigningKey{signing_key: signing_key} ->
:enacl.sign_verify_detached(raw_sig, encoded_object, signing_key)
end)
else
_ -> false
end
@ -70,6 +71,7 @@ defmodule MatrixServerWeb.AuthenticateServer do
{origin, _key, _sig} ->
conn = Plug.Conn.assign(conn, :origin, origin)
apply(__MODULE__, action, [conn, conn.params])
:error ->
put_error(conn, :unauthorized, "Signature verification failed.")
end

View file

@ -3,13 +3,13 @@ defmodule MatrixServerWeb.Federation.KeyController do
import MatrixServerWeb.Plug.Error
alias MatrixServer.SigningServer
alias MatrixServer.KeyServer
@key_valid_time_ms 1000 * 60 * 24 * 30
def get_signing_keys(conn, _params) do
keys =
SigningServer.get_signing_keys(true)
KeyServer.get_own_signing_keys()
|> Enum.into(%{}, fn {key_id, key} ->
{key_id, %{"key" => key}}
end)
@ -21,13 +21,15 @@ defmodule MatrixServerWeb.Federation.KeyController do
valid_until_ts: System.os_time(:millisecond) + @key_valid_time_ms
}
case SigningServer.sign_object(data) do
{:ok, signed_data} ->
case KeyServer.sign_object(data) do
{:ok, sig, key_id} ->
signed_data = MatrixServer.add_signature(data, key_id, sig)
conn
|> put_status(200)
|> json(signed_data)
{:error, _msg} ->
:error ->
put_error(conn, :unknown, "Error signing object.")
end
end

View file

@ -0,0 +1,36 @@
defmodule MatrixServerWeb.Federation.Request.GetSigningKeys do
use Ecto.Schema
import Ecto.Changeset
@primary_key false
embedded_schema do
field :server_name, :string
field :verify_keys, {:map, {:map, :string}}
field :old_verify_keys, {:map, :map}
field :signatures, {:map, {:map, :string}}
field :valid_until_ts, :integer
end
def changeset(params) do
# TODO: There must be a better way to validate embedded maps?
%__MODULE__{}
|> cast(params, [:server_name, :verify_keys, :old_verify_keys, :signatures, :valid_until_ts])
|> validate_required([:server_name, :verify_keys, :valid_until_ts])
|> MatrixServer.validate_change_simple(:verify_keys, fn map ->
Enum.all?(map, fn {_, map} ->
is_map_key(map, "key")
end)
end)
|> MatrixServer.validate_change_simple(:old_verify_keys, fn map ->
Enum.all?(map, fn
{_, %{"key" => key, "expired_ts" => expired_ts}}
when is_binary(key) and is_integer(expired_ts) ->
true
_ ->
false
end)
end)
end
end

View file

@ -2,6 +2,7 @@ defmodule MatrixServerWeb.FederationClient do
use Tesla
alias MatrixServerWeb.Endpoint
alias MatrixServerWeb.Federation.Request.GetSigningKeys
alias MatrixServerWeb.Router.Helpers, as: RouteHelpers
# TODO: Maybe create database-backed homeserver struct to pass to client function.
@ -17,7 +18,15 @@ defmodule MatrixServerWeb.FederationClient do
end
def get_signing_keys(client) do
Tesla.get(client, RouteHelpers.key_path(Endpoint, :get_signing_keys))
# TODO: Extract into seperate function.
# TODO: Check signatures for each verify key.
with {:ok, %Tesla.Env{body: body}} <-
Tesla.get(client, RouteHelpers.key_path(Endpoint, :get_signing_keys)),
%Ecto.Changeset{valid?: true} = cs <- GetSigningKeys.changeset(body) do
{:ok, Ecto.Changeset.apply_changes(cs)}
else
_ -> :error
end
end
# TODO: Create tesla middleware to add signature and headers.
@ -33,7 +42,7 @@ defmodule MatrixServerWeb.FederationClient do
destination: server_name
}
{:ok, signature, key_id} = MatrixServer.SigningServer.sign_object(object_to_sign)
{:ok, signature, key_id} = MatrixServer.KeyServer.sign_object(object_to_sign)
signatures = %{origin => %{key_id => signature}}
auth_headers = create_signature_authorization_headers(signatures, origin)

View file

@ -0,0 +1,19 @@
defmodule MatrixServer.Repo.Migrations.CreateSigningKeyAndServerKeyInfoTable do
use Ecto.Migration
def change do
create table(:server_key_info, primary_key: false) do
add :server_name, :string, primary_key: true, null: false
add :valid_until, :bigint, default: 0, null: false
end
create table(:signing_keys, primary_key: false) do
add :server_name,
references(:server_key_info, column: :server_name, type: :string, on_delete: :delete_all),
null: false
add :signing_key_id, :string, primary_key: true, null: false
add :signing_key, :binary, null: false
end
end
end

2
psql.sh Executable file
View file

@ -0,0 +1,2 @@
#!/bin/bash
sudo -u postgres psql -d matrix_server_dev