Eventually-decentralized project hosting and management platform
Clone
HTTPS:
darcs clone https://vervis.peers.community/repos/WvWbo
SSH:
darcs clone USERNAME@vervis.peers.community:WvWbo
Tags
TODO
ActorKey.hs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 | {- This file is part of Vervis.
-
- Written in 2019, 2022 by fr33domlover <fr33domlover@riseup.net>.
-
- ♡ Copying is an act of love. Please copy, reuse and share.
-
- The author(s) have dedicated all copyright and related and neighboring
- rights to this software to the public domain worldwide. This software is
- distributed without any warranty.
-
- You should have received a copy of the CC0 Public Domain Dedication along
- with this software. If not, see
- <http://creativecommons.org/publicdomain/zero/1.0/>.
-}
module Crypto.ActorKey
( ActorKey ()
, generateActorKey
, actorKeyRotator
, actorKeyPublicBin
, actorKeySign
, actorKeyVerify
)
where
import Control.Exception.Base
import Control.Concurrent (threadDelay)
import Control.Concurrent.STM (TVar, modifyTVar')
import Control.Monad (forever)
import Control.Monad.STM (atomically)
import Crypto.Error
import Crypto.PubKey.Ed25519 hiding (Signature)
import Data.Bifunctor
import Data.ByteArray (convert)
import Data.ByteString (ByteString)
import Data.Text (Text)
import Data.Time.Interval (TimeInterval, microseconds)
import Data.PEM
import Data.X509
import Database.Persist
import Database.Persist.Sql
import Network.HTTP.Signature (Signature (..))
import System.Directory (doesFileExist)
import qualified Data.ByteString as B (writeFile, readFile)
import qualified Data.Text as T
import Crypto.PublicVerifKey
import Data.KeyFile
import Control.Concurrent.Local
-- | Ed25519 signing key, we generate it on the server and use for signing. We
-- also make its public key available to whoever wishes to verify our
-- signatures.
data ActorKey = ActorKey
{ actorKeySecret :: SecretKey
-- ^ Secret key in binary form.
, actorKeyPublic :: PublicKey
-- ^ Public key in binary form.
-- , actorKeyPubPEM :: ByteString
-- ^ Public key in PEM format. This can be generated from the binary
-- form, but we keep it here because it's used for sending the public
-- key to whoever wishes to verify our signatures. So, we generate a
-- key once and potentially send the PEM many times.
}
instance KeyFile ActorKey where
generateKey = generateActorKey
parseKey b = do
secret <- throwCryptoErrorIO $ secretKey b
return ActorKey
{ actorKeySecret = secret
, actorKeyPublic = toPublic secret
}
renderKey = convert . actorKeySecret
actorKeySecretBin :: ActorKey -> ByteString
actorKeySecretBin = convert . actorKeySecret
instance PersistField ActorKey where
toPersistValue = toPersistValue . actorKeySecretBin
fromPersistValue v = do
b <- fromPersistValue v :: Either Text ByteString
secret <- bimap showError id $ eitherCryptoError $ secretKey b
return ActorKey
{ actorKeySecret = secret
, actorKeyPublic = toPublic secret
}
where
showError e =
"Parsing ActorKey from DB failed: " <> T.pack (displayException e)
instance PersistFieldSql ActorKey where
sqlType = sqlType . fmap actorKeySecretBin
{-
-- | Ed25519 public key for signature verification. We receive these public
-- keys from other servers and we use them to verify HTTP request signatures.
data ActorPublicKey = ActorPublicKey
{ actorPublicKeyBin :: PublicKey
-- ^ Public key in binary form. This is used for signature verification.
, actorPublicKeyPem :: ByteString
-- ^ Public key in PEM format. We can use it for formatting the key as
-- JSON, and generally into textual formats.
, actorPublicKeyId :: URI
-- ^ Public key ID URI. We can use it for formatting the key as JSON or
-- other textual formats, and for verifying that it's identical to the
-- URI we used for retrieving the key.
, actorPublicKeyActor :: URI
-- ^ Public key's actor URI. We can use it for formatting the key as JSON
-- or other textual formats, and for verifying that it's identical to
-- the actor ID through which we found the key. We can also check that
-- this ID matches the actor ID to which content is attributed, to make
-- sure we don't accept content claimed to be authored by someone other
-- than the actor who signed the request.
}
instance FromJSON ActorPublicKey where
parseJSON = withObject "ActorPublicKey" $ \ o -> do
pem <- o .: "publicKeyPem"
ActorPublicKey
<$> parsePEM pem
<*> pure pem
<*> parseURI' =<< (o .: "id" <|> o .: "@id")
<*> parseURI' =<< o .: "owner"
where
parsePEM b =
case pemParseBS b of
Left e -> fail $ "PEM parsing failed: " ++ e
Right xs ->
case xs of
[] -> fail "Empty PEM"
[x] ->
case publickey $ pemContent x of
CryptoPassed k -> return k
CryptoFailed e -> fail $ show e
_ -> fail "Multiple PEM sections"
parseURI' t =
withText "URI" $ \ t ->
case parseURI $ T.unpack t of
Nothing -> fail "Invalid absolute URI"
Just u ->
if uriScheme u == "https:"
then return u
else fail "URI scheme isn't https"
instance ToJSON ActorPublicKey where
toJSON = error "toJSON ActorPublicKey"
toEncoding (ActorPublicKey _ pem keyid actor) =
pairs
$ "id" .= showURI keyid
<> "owner" .= showURI actor
<> "publicKeyPem" .= pem
where
showURI u = uriToString id u ""
{-
array = Array . V.fromList
context =
array
[ String "https://w3id.org/security/v1"
, object [("id", String "@id")]
]
-}
-}
-- | Generate a new random key.
generateActorKey :: IO ActorKey
generateActorKey = mk <$> generateSecretKey
where
mk secret =
let public = toPublic secret
in ActorKey
{ actorKeySecret = secret
, actorKeyPublic = public
-- , actorKeyPubPEM = renderPEM public
}
-- renderPEM :: PublicKey -> ByteString
-- renderPEM = pemWriteBS . PEM "PUBLIC KEY" [] . convert
-- | A loop that runs forever and periodically generates new actor keys,
-- storing them in a 'TVar'. It manages a pait of keys, and each time it toggles
-- which key gets rotated.
actorKeyRotator :: TimeInterval -> TVar (ActorKey, ActorKey, Bool) -> IO ()
actorKeyRotator interval keys = periodically interval $ do
fresh <- generateActorKey
atomically $
modifyTVar' keys $ \ (k1, k2, new1) ->
if new1
then (k1 , fresh, False)
else (fresh, k2 , True)
actorKeyPublicBin :: ActorKey -> PublicVerifKey
actorKeyPublicBin = fromEd25519 . actorKeyPublic
actorKeySign :: ActorKey -> ByteString -> Signature
actorKeySign (ActorKey sec pub) = Signature . convert . sign sec pub
actorKeyVerify :: ActorKey -> ByteString -> Signature -> Either String Bool
actorKeyVerify akey input (Signature sig) =
verifySignature (actorKeyPublicBin akey) input sig
|