Page MenuHomePhabricator
Differential D10402

Allow Conduit requests to be signed with a public/private keypair
ClosedPublic
Actions

Authored by epriestley on Sep 2 2014, 10:49 AM.
Tags
None
Referenced Files
F14079605: D10402.diff
Fri, Nov 22, 9:05 AM
Unknown Object (File)
Sun, Nov 17, 5:12 AM
Unknown Object (File)
Fri, Nov 15, 7:16 AM
Unknown Object (File)
Fri, Nov 1, 6:11 PM
Unknown Object (File)
Thu, Oct 31, 1:35 AM
Unknown Object (File)
Thu, Oct 24, 9:28 AM
Unknown Object (File)
Thu, Oct 24, 5:22 AM
Unknown Object (File)
Oct 23 2024, 6:19 AM
View All Files
Subscribers
epriestley
Korvin

Details

Reviewers
hach-que
btrahan
Group Reviewers
Blessed Reviewers
Maniphest Tasks
T6240: Implement Conduit request signing for host-to-host calls
Commits
rPHU2ed0bc456971: Allow Conduit requests to be signed with a public/private keypair
Summary

This allows callers (in the future, servers in a cluster or instances) to sign Conduit requests with an asymmetric keypair instead of a certificate or token.

Overall we could get away without this, but it seems worth doing for a few reasons:

  • By binding Device identity to SSH keys, we can also authorize them over (real) SSH easily, and not need separate conduit / SSH keys.
  • Asymmetric key cryptography is strong and well understood, and we never have to share or transmit private keys.
  • This is potentially useful to third parties for device identity, in a way that custom Conduit stuff wouldn't be.
Test Plan
  • Added unit tests.
  • Will actually test once I mess with the other half of this.

Diff Detail

Repository
rPHU libphutil
Branch
conduitserversign
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 2410
Build 2414: [Placeholder Plan] Wait for 30 Seconds

Event Timeline

hach-que updated this revision to Diff 25026.Sep 2 2014, 10:49 AM
hach-que retitled this revision from to Implement setServerSignature on ConduitClient for cross-server calls.
hach-que updated this object.
hach-que edited the test plan for this revision. (Show Details)
hach-que added a reviewer: epriestley.
Herald added a reviewer: Blessed Reviewers. · View Herald TranscriptSep 2 2014, 10:49 AM
Herald added subscribers: Korvin, epriestley. · View Herald Transcript
Harbormaster completed remote builds in B2410: Diff 25026.Sep 2 2014, 10:49 AM
hach-que edited the test plan for this revision. (Show Details)Sep 2 2014, 10:53 AM
hach-que edited edge metadata.
epriestley edited edge metadata.Sep 4 2014, 2:49 AM

This looks fine, except that all of this stuff should presumably be signed -- maybe signing needs to move into the client?

hach-que mentioned this in D10400: Implement storage of a host ID and a public key for authorizing Conduit between servers.Sep 13 2014, 3:10 AM
epriestley added a task: T6240: Implement Conduit request signing for host-to-host calls.Oct 3 2014, 11:29 AM
hach-que updated this revision to Diff 25530.Oct 3 2014, 1:44 PM
hach-que edited edge metadata.

Update to perform signing / verification in libphutil

Harbormaster completed remote builds in B2733: Diff 25530.Oct 3 2014, 1:44 PM
hach-que updated this revision to Diff 25531.Oct 3 2014, 1:45 PM

Fix lint issues

hach-que updated this revision to Diff 25532.Oct 3 2014, 1:46 PM

More lint

Harbormaster completed remote builds in B2734: Diff 25531.Oct 3 2014, 1:46 PM
Harbormaster completed remote builds in B2735: Diff 25532.
hach-que updated this revision to Diff 25533.Oct 3 2014, 1:46 PM

Remove unnecessary signature field

Harbormaster completed remote builds in B2736: Diff 25533.Oct 3 2014, 1:47 PM
hach-que mentioned this in D10401: Allow Phabricator to accept Conduit requests signed with an SSH key.Oct 3 2014, 1:51 PM
epriestley accepted this revision.Oct 3 2014, 2:17 PM
epriestley edited edge metadata.

We need to shore up the actual signature algorithm at some point, but this is seems reasonable for now. Thanks!

This revision is now accepted and ready to land.Oct 3 2014, 2:17 PM
hach-que updated this revision to Diff 25536.Oct 3 2014, 2:45 PM
hach-que edited edge metadata.

Fix parameter and exclude stuff during getEncodedParameters

Harbormaster completed remote builds in B2739: Diff 25536.Oct 3 2014, 2:45 PM
hach-que mentioned this in D10403: Update PhabricatorRepositoryManagementLookupUsersWorkflow to use ConduitCall.Oct 3 2014, 3:24 PM
epriestley commandeered this revision.Nov 12 2014, 8:37 PM
epriestley edited reviewers, added: hach-que; removed: epriestley.

I'm going to yank this and maybe go halfway toward the longer term in T5955.

This revision now requires review to proceed.Nov 12 2014, 8:37 PM
Harbormaster completed remote builds in B2739: Diff 25536.Nov 12 2014, 8:38 PM
epriestley mentioned this in T6543: Commandeer transaction might be built wrong or have wrong display strings?.Nov 12 2014, 8:38 PM
epriestley updated this revision to Diff 26030.Nov 12 2014, 9:56 PM
  • Guessing at how to mostly future-proof this without over-engineering too much.
  • Notes in a sec.
Harbormaster completed remote builds in B3035: Diff 26030.Nov 12 2014, 9:56 PM
epriestley retitled this revision from Implement setServerSignature on ConduitClient for cross-server calls to Allow Conduit requests to be signed with a public/private keypair.Nov 12 2014, 9:59 PM
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added a comment.Nov 12 2014, 10:07 PM

This is mostly a judgement call on what the simplest thing we can get away with for now while still doing SSH key auth is. This is slightly more formal than the original implementation was because I think a couple of pieces of it weren't quite heavyweight enough to survive to SAAS. I think this is about the least we can get away with.

The possibly-overengineered part here is the "Consign" signature algorithm. There's some discussion of this and reasoning in D10401. The previous version of this just signed JSON. I picked this by balancing these concerns:

  • Cons
    • Custom algorithm that I might have screwed up.
    • Third parties will have to implement this if they want to do SSH signing (but we don't expect anyone to use SSH keys for now).
  • Pros
    • Works for binary data, which signing JSON doesn't.
    • Signature is indepenent of key order in dictionaries, which signing JSON isn't.
    • Works for nested dictionaries, which other algorithms like the AWS algorithm don't. I think allowing nested objects/lists in the API is generally good (e.g., apply a list of transaction dictionaries).
    • Relatively small signature algorithm (e.g., no dependency on msgpack or BSON).
    • Signature input is human-readable, which signing msgpack or something like that isn't.
    • If this is stupid, the "Consign1.0/" prefix lets us unstupid it later.

Overall doing a custom thing seems not-that-terrible so I went with it. It has a unit test! This algorithm is structurally similar to serialization schemes like msgpack.

I also made host + port part of the signature.

btrahan accepted this revision.Nov 12 2014, 10:52 PM
btrahan edited edge metadata.

I mean, duh. =P I dig the test coverage / future test coverage to come if / when bugs emerge.

This revision is now accepted and ready to land.Nov 12 2014, 10:52 PM
epriestley updated this revision to Diff 26032.Nov 13 2014, 1:18 PM
epriestley edited edge metadata.
  • Use PhutilErrorTrap to produce more informative signing failures.
  • Accept public key in PCKS8 format. This key handling code will probably move into libphutil eventually.
  • Make host part of the request explicitly so we can raise more useful errors on the far side.
Harbormaster completed remote builds in B3037: Diff 26032.Nov 13 2014, 1:19 PM
Closed by commit rPHU2ed0bc456971: Allow Conduit requests to be signed with a public/private keypair (authored by epriestley, committed by epriestley). · Explain WhyNov 15 2014, 11:37 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
src/
conduit/
16 lines

Diff 25026

View Options

src/conduit/ConduitClient.php

Loading...
Phabricator · Built by Phacility