diff sat/plugins/plugin_sec_pubsub_signing.py @ 3956:3cb9ade2ab84

plugin pubsub signing: pubsub items signature implementation: - this is based on a protoXEP, not yet an official XEP: https://github.com/xsf/xeps/pull/1228 - XEP-0470: `set` attachment handler can now be async rel 381
author Goffi <goffi@goffi.org>
date Fri, 28 Oct 2022 18:47:17 +0200
parents
children a15c171836bb
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/sat/plugins/plugin_sec_pubsub_signing.py	Fri Oct 28 18:47:17 2022 +0200
@@ -0,0 +1,338 @@
+#!/usr/bin/env python3
+
+# Libervia plugin for Pubsub Items Signature
+# Copyright (C) 2009-2022 Jérôme Poisson (goffi@goffi.org)
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import base64
+import time
+from typing import Any, Dict, List, Optional
+
+from lxml import etree
+import shortuuid
+from twisted.internet import defer
+from twisted.words.protocols.jabber import jid, xmlstream
+from twisted.words.xish import domish
+from wokkel import disco, iwokkel
+from wokkel import pubsub
+from zope.interface import implementer
+
+from sat.core import exceptions
+from sat.core.constants import Const as C
+from sat.core.core_types import SatXMPPEntity
+from sat.core.i18n import _
+from sat.core.log import getLogger
+from sat.tools import utils
+from sat.tools.common import data_format
+
+from .plugin_xep_0373 import get_gpg_provider, VerificationFailed
+
+
+log = getLogger(__name__)
+
+IMPORT_NAME = "pubsub-signing"
+
+PLUGIN_INFO = {
+    C.PI_NAME: "Pubsub Signing",
+    C.PI_IMPORT_NAME: IMPORT_NAME,
+    C.PI_TYPE: C.PLUG_TYPE_XEP,
+    C.PI_MODES: C.PLUG_MODE_BOTH,
+    C.PI_PROTOCOLS: [],
+    C.PI_DEPENDENCIES: ["XEP-0060", "XEP-0373", "XEP-0470"],
+    C.PI_MAIN: "PubsubSigning",
+    C.PI_HANDLER: "yes",
+    C.PI_DESCRIPTION: _(
+        """Pubsub Signature can be used to strongly authenticate a pubsub item"""
+    ),
+}
+NS_PUBSUB_SIGNING = "urn:xmpp:pubsub-signing:0"
+NS_PUBSUB_SIGNING_OPENPGP = "urn:xmpp:pubsub-signing:openpgp:0"
+
+
+class PubsubSigning:
+    namespace = NS_PUBSUB_SIGNING
+
+    def __init__(self, host):
+        log.info(_("Pubsub Signing plugin initialization"))
+        host.registerNamespace("pubsub-signing", NS_PUBSUB_SIGNING)
+        self.host = host
+        self._p = host.plugins["XEP-0060"]
+        self._ox = host.plugins["XEP-0373"]
+        self._a = host.plugins["XEP-0470"]
+        self._a.register_attachment_handler(
+            "signature", NS_PUBSUB_SIGNING, self.signature_get, self.signature_set
+        )
+        host.trigger.add("XEP-0060_publish", self._publish_trigger)
+        host.bridge.addMethod(
+            "psSignatureCheck",
+            ".plugin",
+            in_sign="sssss",
+            out_sign="s",
+            method=self._check,
+            async_=True,
+        )
+
+    def getHandler(self, client):
+        return PubsubSigning_Handler()
+
+    async def profileConnecting(self, client):
+        self.gpg_provider = get_gpg_provider(self.host, client)
+
+    def get_data_to_sign(
+        self,
+        item_elt: domish.Element,
+        to_jid: jid.JID,
+        timestamp: float,
+        signer: str,
+    ) -> bytes:
+        """Generate the wrapper element, normalize, serialize and return it"""
+        # we remove values which must not be in the serialised data
+        item_id = item_elt.attributes.pop("id")
+        item_publisher = item_elt.attributes.pop("publisher", None)
+        item_parent = item_elt.parent
+
+        # we need to be sure that item element namespace is right
+        item_elt.uri = item_elt.defaultUri = pubsub.NS_PUBSUB
+
+        sign_data_elt = domish.Element((NS_PUBSUB_SIGNING, "sign-data"))
+        to_elt = sign_data_elt.addElement("to")
+        to_elt["jid"] = to_jid.userhost()
+        time_elt = sign_data_elt.addElement("time")
+        time_elt["stamp"] = utils.xmpp_date(timestamp)
+        sign_data_elt.addElement("signer", content=signer)
+        sign_data_elt.addChild(item_elt)
+        # FIXME: xml_tools.domish_elt_2_et_elt must be used once implementation is
+        #   complete. For now serialisation/deserialisation is more secure.
+        # et_sign_data_elt = xml_tools.domish_elt_2_et_elt(sign_data_elt, True)
+        et_sign_data_elt = etree.fromstring(sign_data_elt.toXml())
+        to_sign = etree.tostring(
+            et_sign_data_elt,
+            method="c14n2",
+            with_comments=False,
+            strip_text=True
+        )
+        # the data to sign is serialised, we cna restore original values
+        item_elt["id"] = item_id
+        if item_publisher is not None:
+            item_elt["publisher"] = item_publisher
+        item_elt.parent = item_parent
+        return to_sign
+
+    def _check(
+        self,
+        service: str,
+        node: str,
+        item_id: str,
+        signature_data_s: str,
+        profile_key: str,
+    ) -> defer.Deferred:
+        d = defer.ensureDeferred(
+            self.check(
+                self.host.getClient(profile_key),
+                jid.JID(service),
+                node,
+                item_id,
+                data_format.deserialise(signature_data_s)
+            )
+        )
+        d.addCallback(data_format.serialise)
+        return d
+
+    async def check(
+        self,
+        client: SatXMPPEntity,
+        service: jid.JID,
+        node: str,
+        item_id: str,
+        signature_data: Dict[str, Any],
+    ) -> Dict[str, Any]:
+        items, __ = await self._p.getItems(
+            client, service, node, item_ids=[item_id]
+        )
+        if not items != 1:
+            raise exceptions.NotFound(
+                f"target item not found for {item_id!r} at {node!r} for {service}"
+            )
+        item_elt = items[0]
+        timestamp = signature_data["timestamp"]
+        signers = signature_data["signers"]
+        if not signers:
+            raise ValueError("we must have at least one signer to check the signature")
+        if len(signers) > 1:
+            raise NotImplemented("multiple signers are not supported yet")
+        signer = jid.JID(signers[0])
+        signature = base64.b64decode(signature_data["signature"])
+        verification_keys = {
+            k for k in await self._ox.import_all_public_keys(client, signer)
+            if self.gpg_provider.can_sign(k)
+        }
+        signed_data = self.get_data_to_sign(item_elt, service, timestamp, signer.full())
+        try:
+            self.gpg_provider.verify_detached(signed_data, signature, verification_keys)
+        except VerificationFailed:
+            validated = False
+        else:
+            validated = True
+
+        trusts = {
+            k.fingerprint: (await self._ox.get_trust(client, k, signer)).value.lower()
+            for k in verification_keys
+        }
+        return {
+            "signer": signer.full(),
+            "validated": validated,
+            "trusts": trusts,
+        }
+
+    def signature_get(
+        self,
+        client: SatXMPPEntity,
+        attachments_elt: domish.Element,
+        data: Dict[str, Any],
+    ) -> None:
+        try:
+            signature_elt = next(
+                attachments_elt.elements(NS_PUBSUB_SIGNING, "signature")
+            )
+        except StopIteration:
+            pass
+        else:
+            time_elts = list(signature_elt.elements(NS_PUBSUB_SIGNING, "time"))
+            if len(time_elts) != 1:
+                raise exceptions.DataError("only a single <time/> element is allowed")
+            try:
+                timestamp = utils.parse_xmpp_date(time_elts[0]["stamp"])
+            except (KeyError, exceptions.ParsingError):
+                raise exceptions.DataError(
+                    "invalid time element: {signature_elt.toXml()}"
+                )
+
+            signature_data: Dict[str, Any] = {
+                "timestamp": timestamp,
+                "signers": [
+                    str(s) for s in signature_elt.elements(NS_PUBSUB_SIGNING, "signer")
+                ]
+            }
+            # FIXME: only OpenPGP signature is available for now, to be updated if and
+            #   when more algorithms are available.
+            sign_elt = next(
+                signature_elt.elements(NS_PUBSUB_SIGNING_OPENPGP, "sign"),
+                None
+            )
+            if sign_elt is None:
+                log.warning(
+                    "no known signature profile element found, ignoring signature: "
+                    f"{signature_elt.toXml()}"
+                )
+                return
+            else:
+                signature_data["signature"] = str(sign_elt)
+
+            data["signature"] = signature_data
+
+    async def signature_set(
+        self,
+        client: SatXMPPEntity,
+        attachments_data: Dict[str, Any],
+        former_elt: Optional[domish.Element]
+    ) -> Optional[domish.Element]:
+        signature_data = attachments_data["extra"].get("signature")
+        if signature_data is None:
+            return former_elt
+        elif signature_data:
+            item_elt = signature_data.get("item_elt")
+            service = jid.JID(attachments_data["service"])
+            if item_elt is None:
+                node = attachments_data["node"]
+                item_id = attachments_data["id"]
+                items, __ = await self._p.getItems(
+                    client, service, node, items_ids=[item_id]
+                )
+                if not items != 1:
+                    raise exceptions.NotFound(
+                        f"target item not found for {item_id!r} at {node!r} for {service}"
+                    )
+                item_elt = items[0]
+
+            signer = signature_data["signer"]
+            timestamp = time.time()
+            timestamp_xmpp = utils.xmpp_date(timestamp)
+            to_sign = self.get_data_to_sign(item_elt, service, timestamp, signer)
+
+            signature_elt = domish.Element(
+                (NS_PUBSUB_SIGNING, "signature"),
+            )
+            time_elt = signature_elt.addElement("time")
+            time_elt["stamp"] = timestamp_xmpp
+            signature_elt.addElement("signer", content=signer)
+
+            sign_elt = signature_elt.addElement((NS_PUBSUB_SIGNING_OPENPGP, "sign"))
+            signing_keys = {
+                k for k in self._ox.list_secret_keys(client)
+                if self.gpg_provider.can_sign(k.public_key)
+            }
+            # the base64 encoded signature itself
+            sign_elt.addContent(
+                base64.b64encode(
+                    self.gpg_provider.sign_detached(to_sign, signing_keys)
+                ).decode()
+            )
+            return signature_elt
+        else:
+            return None
+
+    async def _publish_trigger(
+        self,
+        client: SatXMPPEntity,
+        service: jid.JID,
+        node: str,
+        items: Optional[List[domish.Element]],
+        options: Optional[dict],
+        sender: jid.JID,
+        extra: Dict[str, Any]
+    ) -> bool:
+        if not items or not extra.get("signed"):
+            return True
+
+        for item_elt in items:
+            # we need an ID to find corresponding attachment node, and so to sign an item
+            if not item_elt.hasAttribute("id"):
+                item_elt["id"] = shortuuid.uuid()
+            await self._a.set_attachements(
+                client,
+                {
+                    "service": service.full(),
+                    "node": node,
+                    "id": item_elt["id"],
+                    "extra": {
+                        "signature": {
+                            "item_elt": item_elt,
+                            "signer": sender.userhost(),
+                        }
+                    }
+                }
+            )
+
+        return True
+
+
+@implementer(iwokkel.IDisco)
+class PubsubSigning_Handler(xmlstream.XMPPHandler):
+
+    def getDiscoInfo(self, requestor, service, nodeIdentifier=""):
+        return [disco.DiscoFeature(NS_PUBSUB_SIGNING)]
+
+    def getDiscoItems(self, requestor, service, nodeIdentifier=""):
+        return []