selfsdk 0.0.126 → 0.0.131

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 74ab84c18470d9115ee847d3c737d70ca987c946db78957b1fb26848840ee67c
-  data.tar.gz: 36ff94d8ec89e4c02da41b0c53209c72c92aba3455907b0440a1026e5d710a91
+  metadata.gz: de6c98236b7c43869701b0d8d538e309c432104a7ff793dcff59f34b01615adf
+  data.tar.gz: da9ba6706eaf3ca113dd4c38a3b633a13850947c0cbfefe70ca1ce05b012e539
 SHA512:
-  metadata.gz: 8b3abe26489b0043512bf2f3aa97286eca248551dcb5ce43cee54a5f4a6fc01b9361c684119ba18cce7ade6f9d6ca52dcd07abe87e65b88b740e8ffc41fbf262
-  data.tar.gz: e193c7852ec51457f6f8235eccb42855e6bf37974dbc67c823bf4c53b12ac9d96caf5101d9d1ecc1f97a3cd148d7f64c2f65df12c39896792e1dd19fcbf89dab
+  metadata.gz: 9fffb2a10a98443d6396d2c0a108522c403e1b625c51b088e470996632749fc2368ec74238d82418c15fbe6bf1cdae3d8e3e454767e314f4dfc1b9e25fe3a6b7
+  data.tar.gz: 64ff7184a0235b16164476259987df92bbfb60f25cfeb9751ff9a838cb7aaf83d7fe7fdc06e8ade67a6c70ed3eaf19b4b04c33e2bd548e95d2eb66b074b9f4ad

data/lib/client.rb

@@ -59,11 +59,21 @@ module SelfSDK
     # Lists all public keys stored on self for the given ID
     #
     # @param id [string] identity id
+    # DEPRECATED
     def public_keys(id)
       i = entity(id)
       i[:public_keys]
     end
 
+    # Lists all public keys stored on self for the given ID
+    #
+    # @param id [string] identity id
+    def public_key(id, kid)
+      i = entity(id)
+      sg = SelfSDK::SignatureGraph.new(i[:history])
+      sg.key_by_id(kid)
+    end
+
     private
 
     def get_identity(endpoint)

data/lib/jwt_service.rb

@@ -5,7 +5,7 @@ require 'json'
 
 module SelfSDK
   class JwtService
-    attr_reader :id, :key
+    attr_reader :id, :key, :key_id
 
     # Jwt initializer
     #
@@ -13,7 +13,14 @@ module SelfSDK
     # @param app_key [string] the app api key provided by developer portal.
     def initialize(app_id, app_key)
       @id = app_id
-      @key = app_key
+      parts = app_key.split(':')
+      if parts.length > 1
+        @key_id = parts[0]
+        @key = parts[1]
+      else
+        @key_id = "1"
+        @key = app_key
+      end
     end
 
     # Prepares a jwt object based on an input
@@ -64,7 +71,9 @@ module SelfSDK
       if verify_key.verify(decode(payload[:signature]), "#{payload[:protected]}.#{payload[:payload]}")
         return true
       end
-    rescue StandardError
+      false
+    rescue StandardError => e
+      SelfSDK.logger.info e
       false
     end
 
@@ -85,7 +94,7 @@ module SelfSDK
     private
 
     def header
-      encode({ alg: "EdDSA", typ: "JWT" }.to_json)
+      encode({ alg: "EdDSA", typ: "JWT", kid: "#{@key_id}" }.to_json)
     end
   end
 end

data/lib/messages/attestation.rb

@@ -15,7 +15,8 @@ module SelfSDK
         @to = payload[:sub]
         @audience = payload[:aud]
         @source = payload[:source]
-        @verified = valid_signature?(attestation)
+        header = JSON.parse(@messaging.jwt.decode(attestation[:protected]), symbolize_names: true)
+        @verified = valid_signature?(attestation, header[:kid])
         @expected_value = payload[:expected_value]
         @operator = payload[:operator]
         @fact_name = name.to_s
@@ -24,8 +25,8 @@ module SelfSDK
         end
       end
 
-      def valid_signature?(body)
-        k = @messaging.client.public_keys(@origin).first[:key]
+      def valid_signature?(body, kid)
+        k = @messaging.client.public_key(@origin, kid).raw_public_key
         raise ::StandardError.new("invalid signature") unless @messaging.jwt.verify(body, k)
 
         true

data/lib/messages/base.rb

@@ -72,14 +72,15 @@ module SelfSDK
 
         jwt = JSON.parse(body, symbolize_names: true)
         payload = JSON.parse(@jwt.decode(jwt[:payload]), symbolize_names: true)
+        header = JSON.parse(@jwt.decode(jwt[:protected]), symbolize_names: true)
         @from = payload[:iss]
-        verify! jwt
+        verify! jwt, header[:kid]
         payload
       end
 
-      def verify!(jwt)
-        k = @client.public_keys(@from).first[:key]
-        return if @jwt.verify(jwt, k)
+      def verify!(input, kid)
+        k = @client.public_key(@from, kid).raw_public_key
+        return if @jwt.verify(input, k)
 
         SelfSDK.logger.info "skipping message, invalid signature"
         raise ::StandardError.new("invalid signature on incoming message")

data/lib/messaging.rb

@@ -44,7 +44,7 @@ module SelfSDK
       @offset_file = "#{@storage_dir}/#{@jwt.id}:#{@device_id}.offset"
       @offset = read_offset
 
-      FileUtils.mkdir_p @storage_dir unless File.exists? @storage_dir
+      FileUtils.mkdir_p @storage_dir unless File.exist? @storage_dir
 
       if options.include? :ws
         @ws = options[:ws]

data/lib/selfsdk.rb

@@ -7,6 +7,7 @@ require 'net/http'
 require 'rqrcode'
 require_relative 'log'
 require_relative 'jwt_service'
+require_relative 'signature_graph'
 require_relative 'client'
 require_relative 'messaging'
 require_relative 'ntptime'

data/lib/services/auth.rb

@@ -115,6 +115,7 @@ module SelfSDK
       def valid_payload(response)
         parse_payload(response)
       rescue StandardError => e
+        SelfSDK.logger.error e
         uuid = ""
         uuid = response[:cid] unless response.nil?
         SelfSDK.logger.error "error checking authentication for #{uuid} : #{e.message}"
@@ -153,10 +154,7 @@ module SelfSDK
         identity = @client.entity(payload[:sub])
         return if identity.nil?
 
-        identity[:public_keys].each do |key|
-          return payload if @client.jwt.verify(jws, key[:key])
-        end
-        nil
+        return payload
       end
     end
   end

data/lib/services/identity.rb

@@ -27,9 +27,10 @@ module SelfSDK
       # Gets an identity public keys
       #
       # @param [String] selfid gets the identity details (app/user)
+      # @param [String] kid the public key id.
       # @return [Array] with the identity public keys
-      def public_keys(selfid)
-        @client.public_keys(selfid)
+      def public_key(selfid, kid)
+        @client.public_key(selfid, kid).public_key
       end
 
       # Gets an app/identity details

data/lib/signature_graph.rb

@@ -0,0 +1,283 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'json'
+
+module SelfSDK
+
+  ACTION_ADD = "key.add"
+  ACTION_REVOKE = "key.revoke"
+  KEY_TYPE_DEVICE = "device.key"
+  KEY_TYPE_RECOVERY = "recovery.key"
+
+  class Operation
+
+    attr_reader :sequence, :previous, :timestamp, :actions, :signing_key, :jws
+
+    def initialize(operation)
+      @jws = operation
+
+      payload = Base64.urlsafe_decode64(@jws[:payload])
+      header = Base64.urlsafe_decode64(@jws[:protected])
+
+      op = JSON.parse(payload, symbolize_names: true)
+      hdr = JSON.parse(header, symbolize_names: true)
+
+      @sequence = op[:sequence]
+      @previous = op[:previous]
+      @timestamp = op[:timestamp]
+      @version = op[:version]
+      @actions = op[:actions]
+      @signing_key = hdr[:kid]
+
+      validate!
+    end
+
+    def validate!
+      raise "unknown operation version" if @version != "1.0.0"
+      raise "invalid operation sequence" if @sequence < 0
+      raise "operation does not specify a previous signature" if @previous.nil?
+      raise "invalid operation timestamp" if @timestamp < 1
+      raise "operation does not specify any actions" if @actions.nil?
+      raise "operation does not specify any actions" if @actions.length < 1
+      raise "operation does not specify an identifier for the signing key" if @signing_key.nil?
+    end
+
+    def revokes(kid)
+      @actions.each do |action|
+        if action[:kid] == kid && action[:action] == ACTION_REVOKE
+          return true
+        end
+      end
+      return false
+    end
+  end
+
+  class Key
+
+    attr_reader :kid, :did, :type, :created, :revoked, :public_key, :raw_public_key, :incoming, :outgoing
+
+    def initialize(action)
+      @kid = action[:kid]
+      @did = action[:did]
+      @type = action[:type]
+      @created = action[:from]
+      @revoked = 0
+
+      @raw_public_key = action[:key]
+      @public_key = Ed25519::VerifyKey.new(Base64.urlsafe_decode64(@raw_public_key))
+
+      @incoming = Array.new
+      @outgoing = Array.new
+    end
+
+    def valid_at(at)
+      created <= at && revoked == 0 || created <= at && revoked > at
+    end
+
+    def revoke(at)
+      @revoked = at
+    end
+
+    def revoked?
+      @revoked > 0
+    end
+
+    def child_keys
+      keys = @outgoing.dup
+
+      @outgoing.each do |k|
+        keys.concat k.child_keys
+      end
+
+      keys
+    end
+  end
+
+  class SignatureGraph
+    def initialize(history)
+      @root = nil
+      @keys = Hash.new
+      @devices = Hash.new
+      @signatures = Hash.new
+      @operations = Array.new
+      @recovery_key = nil
+
+      history.each do |operation|
+        execute(operation)
+      end
+    end
+
+    def key_by_id(kid)
+      k = @keys[kid]
+      raise "key not found" if k.nil?
+      k
+    end
+
+    def key_by_device(did)
+      k = @devices[did]
+      raise "key not found" if k.nil?
+      k
+    end
+
+    def execute(operation)
+      op = Operation.new(operation)
+
+      raise "operation sequence is out of order" if op.sequence != @operations.length
+
+      if op.sequence > 0
+        if @signatures[op.previous] != op.sequence - 1
+          raise "operation previous signature does not match"
+        end
+
+        if @operations[op.sequence - 1].timestamp >= op.timestamp
+          raise "operation timestamp occurs before previous operation"
+        end
+
+        sk = @keys[op.signing_key]
+
+        raise "operation specifies a signing key that does not exist" if sk.nil?
+
+        if sk.revoked? && op.timestamp > sk.revoked
+          raise "operation was signed by a key that was revoked at the time of signing"
+        end
+
+        if sk.type == KEY_TYPE_RECOVERY && op.revokes(op.signing_key) != true
+          raise "account recovery operation does not revoke the current active recovery key"
+        end
+      end
+
+      execute_actions(op)
+
+      sk = @keys[op.signing_key]
+
+      raise "operation specifies a signing key that does not exist" if sk.nil?
+
+      if op.timestamp < sk.created || sk.revoked? && op.timestamp > sk.revoked
+        raise "operation was signed with a key that was revoked"
+      end
+
+      sig = Base64.urlsafe_decode64(op.jws[:signature])
+
+      sk.public_key.verify(sig, "#{op.jws[:protected]}.#{op.jws[:payload]}")
+
+      has_valid_key = false
+
+      @keys.each do |kid, k|
+        has_valid_key = true unless k.revoked?
+      end
+
+      raise "signature graph does not contain any active or valid keys" unless has_valid_key
+      raise "signature graph does not contain a valid recovery key" if @recovery_key.nil?
+      raise "signature graph does not contain a valid recovery key" if @recovery_key.revoked?
+
+      @operations.push(op)
+      @signatures[op.jws[:signature]] = op.sequence
+    end
+
+    private
+
+    def execute_actions(op)
+      op.actions.each do |action|
+        raise "operation action does not provide a key identifier" if action[:kid].nil?
+
+        if action[:type] != KEY_TYPE_DEVICE && action[:type] != KEY_TYPE_RECOVERY
+          raise "operation action does not provide a valid type"
+        end
+
+        if action[:action] != ACTION_ADD && action[:action] != ACTION_REVOKE
+          raise "operation action does not provide a valid action"
+        end
+
+        if action[:action] == ACTION_ADD && action[:key].nil?
+          raise "operation action does not provide a valid public key"
+        end
+
+        if action[:action] == ACTION_ADD && action[:type] == KEY_TYPE_DEVICE && action[:did].nil?
+          raise "operation action does not provide a valid device id"
+        end
+
+        if action[:from] < 0
+          raise "operation action does not provide a valid timestamp for the action to take effect from"
+        end
+
+        case action[:action]
+        when ACTION_ADD
+          action[:from] = op.timestamp
+          add(op, action)
+        when ACTION_REVOKE
+          revoke(op, action)
+        end
+      end
+    end
+
+    def add(operation, action)
+      if @keys[action[:kid]].nil? != true
+        raise "operation contains a key with a duplicate identifier"
+      end
+
+      k = Key.new(action)
+
+      case action[:type]
+      when KEY_TYPE_DEVICE
+        dk = @devices[action[:did]]
+        unless dk.nil?
+          raise "operation contains more than one active key for a device" unless dk.revoked?
+        end
+      when KEY_TYPE_RECOVERY
+        unless @recovery_key.nil?
+          raise "operation contains more than one active recovery key" unless @recovery_key.revoked?
+        end
+
+        @recovery_key = k
+      end
+
+      @keys[k.kid] = k
+      @devices[k.did] = k
+
+      if operation.sequence == 0 && operation.signing_key == action[:kid]
+        @root = k
+        return
+      end
+
+      parent = @keys[operation.signing_key]
+
+      raise "operation specifies a signing key that does not exist" if parent.nil?
+
+      k.incoming.push(parent)
+      parent.outgoing.push(k)
+    end
+
+    def revoke(operation, action)
+      k = @keys[action[:kid]]
+
+      raise "operation tries to revoke a key that does not exist" if k.nil?
+      raise "root operation cannot revoke keys" if operation.sequence < 1
+      raise "operation tries to revoke a key that has already been revoked" if k.revoked?
+
+      k.revoke(action[:from])
+
+      sk = @keys[operation.signing_key]
+
+      raise "operation specifies a signing key that does not exist" if k.nil?
+
+      # if this is an account recovery, nuke all existing keys
+      if sk.type == KEY_TYPE_RECOVERY
+        @root.revoke(action[:from])
+
+        @root.child_keys.each do |ck|
+          ck.revoke(action[:from]) unless ck.revoked?
+        end
+
+        return
+      end
+
+      k.child_keys.each do |ck|
+        ck.revoke(action[:from]) unless ck.created < action[:from]
+      end
+    end
+
+  end
+
+end
+

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: selfsdk
 version: !ruby/object:Gem::Version
-  version: 0.0.126
+  version: 0.0.131
 platform: ruby
 authors:
 - Aldgate Ventures
@@ -325,9 +325,11 @@ files:
 - lib/services/facts.rb
 - lib/services/identity.rb
 - lib/services/messaging.rb
+- lib/signature_graph.rb
 - lib/sources.rb
 homepage: https://www.joinself.com/
-licenses: []
+licenses:
+- MIT
 metadata: {}
 post_install_message: 
 rdoc_options: []