initial post quantum services

Author: sevenbitbyte

package.json

@@ -61,7 +61,7 @@
   },
   "dependencies": {
     "@dataparty/bouncer-db": "1.0.1",
-    "@dataparty/crypto": "git://github.com/datapartyjs/dataparty-crypto.git",
+    "@dataparty/crypto": "github:datapartyjs/dataparty-crypto#postquantum-bson",
     "@dataparty/tasker": "^0.0.3",
     "@diva.exchange/i2p-sam": "^4.1.8",
     "@markwylde/liferaft": "^1.3.4",

src/comms/isocket-comms.js

@@ -7,7 +7,9 @@ const {Message, Routines} = require('@dataparty/crypto')
 
 const AuthOp = require('./op/auth-op')
 const RosShim = require('./ros-shim')
-const IParty = require('../party/iparty')
+//const IParty = require('../party/iparty')
+
+const {Routines} = require('@dataparty/crypto')
 
 
 /**
@@ -38,6 +40,9 @@ class ISocketComms extends EventEmitter {
 
         this.socket = undefined
 
+        //this.aesOffer = null
+        this.aesStream = null
+
         this._ros = undefined
     }
 
@@ -80,49 +85,58 @@ class ISocketComms extends EventEmitter {
         op.run().then((status)=>{
             debug(status)
             debug('authed')
-            this.emit('open')
+            //this.aesOffer = op.offer
+            this.aesStream = op.stream
             this.authed = true
+            this.emit('open')
         }).catch(error=>{
             this.authed = false
             debug('auth error', error)
             this.emit('close')
         })
     }
 
-    decrypt(reply, sender){
+    async decrypt(reply, sender){
+      if(this.aesStream){
+        debug('decrypting quantum aes')
+
+        const contentBSON = await this.aesStream.decrypt( reply.data )
+        const content = Routines.BSON.parseObject(new Routines.BSON.BaseParser( contentBSON ))
+
+        return content
+
+      } else {
+        debug('decrypting classic')
         const replyObj = JSON.parse(reply.data)
-        let dataPromise = new Promise((resolve, reject)=>{
-            if(replyObj.enc && replyObj.sig){
-              let msg = new Message(replyObj)
-      
-              return resolve(msg.decrypt(this.party._identity).then(content=>{
-                const senderPub = Routines.extractPublicKeys(msg.enc)
-                debug('sender', sender, '\tdiscover', this.discoverRemoteIdentity)
-                if(this.discoverRemoteIdentity && !sender){
-                    debug('discovered remote identity', senderPub)
-                    this.remoteIdentity = {
-                        key: {
-                            public: senderPub
-                        }
-                    }
-                    sender = this.remoteIdentity
-                }
-                debug(`sender from - ${msg.from}`)
-                debug(`senderPub - ${senderPub}`)
-      
-                if(senderPub.box != sender.key.public.box || senderPub.sign != sender.key.public.sign){
-                  return Promise.reject('TRUST - reply is not from expected remote')
-                }
-
-                debug('decrypted data')
-                return content
-              }))
-            }
-      
-            reject( Promise.reject('TRUST - reply is not encrypted') )
-          })
-      
-        return dataPromise
+  
+        if(replyObj.enc && replyObj.sig){
+          let msg = new Message(replyObj)
+  
+          let content = await msg.decrypt(this.party.privateIdentity())
+        
+          const senderPub = Routines.extractPublicKeys(msg.enc)
+          debug('sender', sender, '\tdiscover', this.discoverRemoteIdentity)
+          if(this.discoverRemoteIdentity && !sender){
+              debug('discovered remote identity', senderPub)
+              this.remoteIdentity = {
+                  key: {
+                      public: senderPub
+                  }
+              }
+              sender = this.remoteIdentity
+          }
+          debug(`sender from - ${msg.from}`)
+          debug(`senderPub - ${senderPub}`)
+  
+          if(senderPub.box != sender.key.public.box || senderPub.sign != sender.key.public.sign){
+            throw new Error('TRUST - reply is not from expected remote')
+          }
+  
+          debug('decrypted data')
+          return content
+        }
+      }
+
     }
 
     onmessage(message){
@@ -142,28 +156,37 @@ class ISocketComms extends EventEmitter {
         })
     }
 
-    send(input){
-        debug('send - ', typeof input, input)
+    async send(input){
+      debug('send - ', typeof input, input)
 
-        if(typeof input != 'object'){
-            input = JSON.parse(input)
-        }
+      if(typeof input != 'object'){
+        input = JSON.parse(input)
+      }
+
+      let content = null
 
-        const content = new Message({msg: input})
+      if(this.aesStream){
+        debug('sending quantum aes')
+        const contentBSON = Routines.BSON.serializeBSONWithoutOptimiser( input )
+        content = await this.aesStream.encrypt( contentBSON )
+      } else {
 
-        return content.encrypt(this.party._identity, this.remoteIdentity.key)
-            .then(JSON.stringify)
-            .then(this.socket.send.bind(this.socket))
+        debug('sending classic')
+        const msg = new Message({msg: input})
+        await msg.encrypt(this.party._identity, this.remoteIdentity.key)
+        content = JSON.stringify(msg)
+      }
 
+      await this.socket.send(content)
     }
 
     get ros(){
-        if(!this._ros){
-            this._ros = new RosShim(this)
-            this._ros.connect()
-        }
+      if(!this._ros){
+          this._ros = new RosShim(this)
+          this._ros.connect()
+      }
 
-        return this._ros
+      return this._ros
     }
 }
 

src/comms/op/auth-op.js

@@ -1,11 +1,48 @@
 const debug = require('debug')('dataparty.op.auth-op')
 const SocketOp = require('./socket-op')
 
+const {Routines} = require('@dataparty/crypto')
+
 
 class AuthOp extends SocketOp {
-    constructor(socket){
-        super('auth', {}, socket)
+  constructor(socket){
+    super('auth', {}, socket)
+
+    this.offer=null
+    this.stream=null
+  }
+
+  async run(){
+    const actor = socket.party.privateIdentity()
+    const aesStreamOffer = await actor.createStream( socket.remoteIdentity )
+
+    this.stream = aesStreamOffer.stream
+
+    const offer = {
+      sender: aesStreamOffer.sender,
+      pqCipherText: aesStreamOffer.pqCipherText,
+      streamNonce: aesStreamOffer.streamNonce
+    }
+
+    const offerBSON = Routines.BSON.serializeBSONWithoutOptimiser( offer )
+
+    const { timestamp, value, type } = await Routines.signDataPQ(actor, offerBSON, 'pqsign_ml')
+
+    const authPkt = {
+      offer,
+      signature: {
+        timestamp, type,
+        value: Routines.Utils.base64.encode(value)
+      }
     }
+
+    debug('created authPkt', authPkt)
+
+    this.offer = offer
+    this.data = authPkt
+
+    return super.run()
+  }
 }
 
 module.exports = AuthOp

src/comms/peer-comms.js

@@ -359,8 +359,49 @@ class PeerComms extends ISocketComms {
   }
 
   async handleAuthOp(op){
+
+    debug('handleAuthOp -', op)
+
+    const offerBSON = Routines.BSON.serializeBSONWithoutOptimiser( op.input.offer )
+    const offer = {
+      sender: aesStreamOffer.sender,
+      pqCipherText: aesStreamOffer.pqCipherText,
+      streamNonce: aesStreamOffer.streamNonce
+    }
+
+    const signature = {
+      timestamp: op.input.signature.timestamp,
+      type: op.input.signature.type,
+      value: Routines.Utils.base64.decode( op.input.signature.value )
+    }
+
+    const actor = await this.party.hostRunner.auth.lookupIdentity(offer.sender)
+    const verified = await Routines.verifyDataPQ(actor, signature, offerBSON)
+    
+    if(!verified){
+      throw new Error('DENY - auth op signature is not valid')
+    }
+
+    if(this.discoverRemoteIdentity){ this.remoteIdentity = actor }
+    
+    const authorized = await this.party.hostRunner.auth.isSocketConnectionAllowed(actor)
+    if(!authorized){
+
+      clearTimeout(this._host_auth_timeout)
+      this._host_auth_timeout = null
+
+      this.authed = false
+      this.setState(PeerComms.STATES.SERVER_CLOSED)
+      op.setState(HostOp.STATES.Finished_Success)
+
+      await this.stop()
+
+      debug('DENY - client not allowed - ', this.remoteIdentity)
+    }
+
+    this.aesStream = this.party.privateIdentity.recoverStream(offer, true)
 
-    debug('allowing client - ', this.remoteIdentity)
+    debug('ALLOW - allowing client - ', this.remoteIdentity)
 
     clearTimeout(this._host_auth_timeout)
     this._host_auth_timeout = null
@@ -380,7 +421,7 @@ class PeerComms extends ISocketComms {
 
       debug('calling runner')
 
-      if(op.input.endpoint == 'api-v2-peer-bouncer'){
+      if(op.input.endpoint == 'api-v2-peer-bouncer' && await this.party.hostRunner.auth.isAdmin(this.remoteIdentity)){
         debug('ask->', truncateString(op.input.data, 1024))
         op.result = {result: await this.party.handleCall(op.input.data) }
 
@@ -418,7 +459,7 @@ class PeerComms extends ISocketComms {
       op.setState(HostOp.STATES.Finished_Success)
       return
 
-    } else if(op.input.endpoint == 'api-v2-peer-bouncer'){
+    } else if(op.input.endpoint == 'api-v2-peer-bouncer' && await this.party.hostRunner.auth.isAdmin(this.remoteIdentity)){
 
       debug('ask->',op.input.data)
       op.result = {result: await this.party.handleCall(op.input.data) }

src/service/iauth.js

@@ -0,0 +1,81 @@
+const debug = require('debug')('dataparty.service.IAuth')
+
+module.exports = class IAuth {
+
+  /**
+   * Interface class for Authorization
+   * 
+   * @interface module:Service.IAuth
+   * @link module:Service
+   */
+  constructor({context}){
+    this.context = {
+      party: context.party,
+      serviceRunner: context.serviceRunner
+    }
+  }
+
+  /**
+   * @type {string}
+   * @member module:Service.ITask.Name
+   */
+  static get Name(){
+    throw new Error('not implemented')
+  }
+
+  /**
+   * @type {string}
+   * @member module:Service.ITask.Description
+   */
+  static get Description(){
+    throw new Error('not implemented')
+  }
+
+  async lookupIdentity(identity){
+    return identity
+  }
+
+  async isSocketConnectionAllowed(identity){
+    //throw new Error('not implemented')
+    return true
+  }
+
+  async isInternal(identity){
+    return false
+  }
+
+  async isAdmin(identity){
+    return false
+  }
+
+  async canReadDb(identity){
+    return false
+  }
+
+  async canWriteDb(identity){
+    return false
+  }
+
+  async canAccessTopics(identity){
+    return true
+  }
+
+  /**
+   * @typedef {Object} module:Service.IAuth.Info
+   * @property {string} Name
+   * @property {string} Description
+   * @property {module:Service.IAuth.TaskConfig} Config
+   */
+
+  /**
+   * Returns the task's `Name`, `Description`, and `Config`
+   * @type module:Service.IAuth.Info
+   * @member module:Service.IAuth.info
+   */
+  static get info(){
+    return {
+      Name: this.Name,
+      Description: this.Description
+    }
+  }
+}

src/service/index-browser.js

@@ -5,6 +5,7 @@ const Path = require('path')
  */
 
 
+exports.IAuth = require('./iauth')
 exports.IContext= require('./icontext')
 exports.IService= require('./iservice')
 exports.IEndpoint= require('./iendpoint')

src/service/index.js

@@ -5,6 +5,7 @@ const Path = require('path')
  */
 
 
+exports.IAuth = require('./iauth')
 exports.IContext= require('./icontext')
 exports.IService= require('./iservice')
 exports.IEndpoint= require('./iendpoint')