Verify payloads using public ssh keys

Author: mlebkowski

.github/workflows/ci.yml

@@ -0,0 +1,36 @@
+name: Test
+
+on: [push]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        php_version: ['8.0', '8.1', '8.2', '8.3', '8.4']
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php_version }}
+      - name: Get composer cache directory
+        id: composer-cache
+        run: echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
+      - name: Cache dependencies
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ matrix.php_version }}-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-${{ matrix.php_version }}-
+
+      - name: Install dependencies
+        run: composer install
+      - name: PHPStan
+        run: vendor/bin/phpstan
+      - name: PHPUnit
+        run: vendor/bin/phpunit

.github/workflows/release.yml

@@ -0,0 +1,38 @@
+name: Create release
+
+on:
+  push:
+    tags:
+      - '*.*.*'
+
+permissions:
+  contents: write
+  packages: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: 'true'
+          fetch-depth: '0'
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: 8.0
+
+      - name: Build phar
+        run:
+          make -C cli
+          mv cli/ssh-verify.phar bin/ssh-verify
+
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            bin/ssh-verify
+            bin/ssh-sign
+            bin/pem-to-openssh

.gitignore

@@ -0,0 +1 @@
+.phpunit.cache

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 WonderNetwork
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Readme.md

@@ -0,0 +1,174 @@
+# Verify message payloads using publicly available ssh keys
+
+Most of the servers have a public/private ssh key pair available,
+so do most of the developers. Machines have their public parts 
+available on port 22 (via `ssh-keyscan`) and devs upload theirs
+to Github and similar places. How about instead of authorizing
+our messages using passwords and tokens, we could just sign them 
+using rsa/ecdsa/ed25519 keys we already use for SSH communication,
+and let the receiver verify that against publicly available records?
+
+## How it works?
+
+The sender identifies a private key they want to use. This might
+be an `/etc/ssh/ssh_host_ecdsa_key`, for which the public counterpart
+is available via `ssh-keyscan` to the receiver. For people, their
+personal ssh key uploaded to github could be used, as the public
+keys of each user are available at `github.com/username.keys`.
+
+> [!NOTE]
+> Most of the servers exposing something over HTTP also have
+> a HTTPS certificate issued. While this is not strictly in scope
+> of this package because that is not a SSH private key, it can
+> be easily converted to one, and since the cert is exposed on
+> port 443, it is easy to verify by the receivers.
+
+`ssh-keygen` can be used to sign a message (see also 
+[`bin/ssh-sign` script][ssh-sign]). Then they can send the payload
+with a corresponding `.sig` file to the receiver.
+
+```sh
+ssh-keygen -Y sign -f ~/.ssh/id_rsa -n "com.acme.namespace" payload.json
+curl --silent \
+  --form "[email protected]" \
+  --form "[email protected]" \
+  --form "username=mlebkowski" \
+  https://example.org
+```
+
+The receiver in turn needs to determine the sender’s identity.
+This could be done explicitly (e.g. by passing their github username
+along with the message), or implicitly: by the sender’s IP address.
+
+Then the receiver confirms that the signature used one of the public
+keys available for a given sender, and that the signature matches
+the message payload. No passwords.
+
+See also [example][demo] for a simple proof of concept.
+
+## Installation
+
+```sh
+composer require wondernetwork/ssh-pubkey-payload-verification
+```
+
+You will need a `psr/http-client` and `psr/simple-cache` implementations.
+Most frameworks will have this for you, but in case you don’t have them,
+you can just pick one from the top:
+
+ * [packagist `psr/http-client` implementations][http-client]
+ * [packagist `psr/http-factory` implementations][http-factory]
+ * [packagist `psr/http-message` implementations][http-message]
+ * [packagist `psr/simple-cache` implementations][simple-cache]
+
+## Usage
+
+```php
+use WonderNetwork\SshPubkeyPayloadVerification\ValidatorBuilder;
+
+// simples use case:
+$validator = ValidatorBuilder::start()->build();
+
+// all available configuration options:
+$validator = ValidatorBuilder::start()
+    // cache the fetched ssh-keyscans
+    ->withCache($simpleCacheAdapter)
+
+    // provide your own httpClient instead of relying on autodiscovery
+    // if you’d like to cache calls to github, pass your own caching client
+    ->withHttpClient($httpClient)
+    ->withHttpMessageFactory($requestFactory)
+
+    // when a request comes in, just execute ssh-keyscan
+    // to get all their public keys. This is the default
+    ->useRealtimeSshKeyscan()
+    // instead of doing keyscan for each sender
+    // pass a pre-determined known-hosts contents or filename
+    ->withKnownHosts($knownHostsContent)
+    ->withKnownHostsFile($knownHostsFilename)
+    // replace the whole host keyscan implementation with your own
+    ->withSshKeyscan($myFancyKeyscan)
+
+    // replace the `KeyRepository` entirely and provide you own
+    // way for getting list of keys of any given sender
+    // this allows you to create custom sender types and sources 
+    // of their public keys
+    ->withCustomKeyRepository()
+    ->build();
+```
+
+Having the validator, we can now proceed to checking payloads:
+
+```php
+use WonderNetwork\SshPubkeyPayloadVerification\Validator;
+use WonderNetwork\SshPubkeyPayloadVerification\ValidatorException;
+
+/** @var Validator $validator */
+try {
+   $validator->validate(
+     sender: sprintf("ssh://%s:%d", $_SERVER['REMOTE_ADDR'], 22),
+     // alternatives:
+     // sender: sprintf("https://%s:%d", $_SERVER['REMOTE_ADDR'], 443),
+     // sender: "github://mlebkowski",
+     namespace: "something you just need to agree on",
+     // deliver it any way you like it
+     message: $_POST['message'],
+     // deliver it any way you like it:
+     signature: $_POST['signature'],
+   );
+   // good, we can act as if this sender/message are authenticated!
+} catch (ValidatorException $e) {
+   // bad cookie, we discard the message
+   // depending on $e, there might be some interesting context why it failed
+}
+```
+
+## Security
+
+This solution is based on the same PKI infrastructure and
+mathematics behind RSA/ECC as the connection to your bank does.
+There are some caveats:
+
+ * The `ssh-keyscan` is over an insecure connection. There are no
+    equivalent of HTTPS certificates for SSH connections, so an
+    attacker in position to alter your network traffic is able to
+    spoof this. Similarly, if the target sender is taken over before
+    the receiver had the chance to receive their public key list.
+
+   Consider using a static known hosts file instead, or think about
+    implementing a solution that uses HTTPS certificates if that’s
+    something your senders have at hand.
+
+ * This does not server as _authorization_ of the sender’s message,
+    so you need to do this separately. Nor this secures the 
+    communication in any way, so think about transport layer security
+    separately (delivering over HTTPS should be enough). This is
+    stateless, so it doesn’t prevent replay attacks in any way.
+
+ * There is no revocation mechanism other than manually evicting 
+    a key from your cache.
+
+## Cookbook
+
+### Using HTTPS certificates
+
+In order to use a certificate, you need to first convert it’s PEM private
+key into a SSH private key. 
+
+```sh
+# copy from the place you keep HTTPS certificates
+cp /etc/letsencrypt/live/acme.example.org/privkey.pem ssh-signkey.rsa
+# limit permissions, or ssh-keyscan will refuse to work with that file
+chmod 0600 ssh-signkey.rsa
+# rewrite the key in-place (here: without using a passphrase) in OpenSSH format
+ssh-keygen -p -N "" -f ssh-signkey.rsa
+# use as any other SSH private key
+jq -Mcn .valid=true | ssh-keygen -Y sign -n example -f ssh-signkey.rsa
+```
+
+[ssh-sign]: bin/ssh-sign
+[demo]: ./example/
+[http-client]: https://packagist.org/providers/psr/http-client-implementation
+[simple-cache]: https://packagist.org/providers/psr/simple-cache-implementation
+[http-factory]: https://packagist.org/providers/psr/http-factory-implementation
+[http-message]: https://packagist.org/providers/psr/http-message-implementation

bin/pem-to-openssh

@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+usage() {
+  {
+    echo "usage: $0 <source> <target> [<passphrase>]"
+    echo ""
+    echo "      source: private key in PEM format (used in HTTPS certificates)"
+    echo "      target: where to save your new OpenSSH signing key"
+    echo "  passphrase: encrypt the output key using a passphrase"
+    echo "              use an empty string or '-' to be asked interactively"
+    echo "              omit this argument to skip encryption"
+  } >&2
+  return 1
+}
+
+main() {
+  declare source="${1:-}" target="${2:-}" passphrase="${3:-}"
+
+  if [[ -z "$source" ]] || [[ -z "$target" ]] || [[ $# -gt 3 ]]; then
+    usage
+  fi
+
+  if [[ ! -r "$source" ]]; then
+    echo "Error: source file $source is not readable" >&2
+    return 2
+  fi
+
+  if [[ -f "$target" ]]; then
+    read -rp "Target file $target exists. Overwrite? Press Ctrl+C to cancel, Enter to continue: " >&2
+  fi
+
+  cp "$source" "$target"
+  chmod 0600 "$target"
+
+  if [[ $# -eq 3 ]] && [[ "-" == "$passphrase" || "" == "$passphrase" ]]; then
+    ssh-keygen -p -f "$target"
+  else
+    ssh-keygen -p -N "$passphrase" -f "$target"
+  fi
+}
+
+main "$@"

bin/ssh-sign

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+usage() {
+  {
+    echo "usage: $0 <namespace> <ssh-key> [<message-file>...]"
+    echo ""
+    echo "     namespace: is an arbitrary string you need to agree on with the recipient"
+    echo "       ssh-key: will be used to sign the payload."
+    echo "  message-file: one or more files to sign. /dev/stdin is used by default"
+    echo "                signature will be saved with a file suffixed .sig"
+    echo "                if a process substitution or stdin will be provided"
+    echo "                then the signature will be written to stdout"
+  } >&2
+  return 1
+}
+
+main() {
+  declare namespace="${1:-}" ssh_key="${2:-}"
+  shift 2 || :
+
+  if [[ -z "$namespace" ]]; then
+    echo "Error: namespace argument is required" >&2
+    usage
+  fi
+
+  if [[ -z "$ssh_key" ]]; then
+    echo "Error: ssh-key argument is required" >&2
+    usage
+  fi
+
+  if [[ ! -r "$ssh_key" ]]; then
+    echo "Key $ssh_key does not exist or is not readable" >&2
+    return 1
+  fi
+
+  if [[ -z "$*" ]]; then
+    ssh-keygen -Y sign -n "$namespace" -f "$ssh_key"
+  fi
+
+  for file in "$@"; do
+    if [[ -f "$file" ]]; then
+      ssh-keygen -Y sign -n "$namespace" -f "$ssh_key" "$file"
+    else
+      ssh-keygen -Y sign -n "$namespace" -f "$ssh_key" < "$file"
+    fi
+  done
+}
+
+main "$@"

cli/Makefile

@@ -0,0 +1,26 @@
+.DEFAULT_TARGET := ../bin/ssh-verify
+
+# we need to build outside of the root composer path
+BUILD_PATH := $(shell mktemp -d)
+
+../bin/ssh-verify: tools/box ${BUILD_PATH}/vendor
+	@echo "${BUILD_PATH}"
+	@tools/box/vendor/bin/box compile -d "${BUILD_PATH}"
+	@mv "${BUILD_PATH}/index.phar" ../bin/ssh-verify
+
+${BUILD_PATH}/vendor:
+	@cp composer.json composer.lock "${BUILD_PATH}"
+	@sed s/@git-version@/$(shell git describe --tags --always HEAD)/ ssh-verify > "${BUILD_PATH}/index.php"
+	@composer install -d "${BUILD_PATH}"
+	@unlink ${BUILD_PATH}/vendor/wondernetwork/ssh-pubkey-payload-verification
+	@mkdir ${BUILD_PATH}/vendor/wondernetwork/ssh-pubkey-payload-verification
+	@cp -r ../src ../composer.json ${BUILD_PATH}/vendor/wondernetwork/ssh-pubkey-payload-verification/
+
+tools/box: tools/box/vendor
+tools/box/vendor: tools/box/composer.lock tools/box/composer.json
+	@composer --working-dir tools/box install
+
+PHONY: clean
+clean:
+	@rm -rvf ../bin/ssh-verify tools/box/vendor
+