demo: dns txt validation

Author: mlebkowski

Readme.md

@@ -44,7 +44,7 @@ Then the receiver confirms that the signature used one of the public
 keys available for a given sender, and that the signature matches
 the message payload. No passwords.
 
-See also [example][demo] for a simple proof of concept.
+See also [example/web-demo][web-demo] for a simple proof of concept.
 
 ## Installation
 
@@ -166,8 +166,16 @@ ssh-keygen -p -N "" -f ssh-signkey.rsa
 jq -Mcn .valid=true | ssh-keygen -Y sign -n example -f ssh-signkey.rsa
 ```
 
+### Extending key sources
+
+Basically, you need to implement `KeyRepository` to return your own `KeyCollection`
+based on the `string $sender`. You can decorate the existing `StandardKeyRepository`
+to keep the built-in features and only add yours on top. An example how this could
+be done using DNS TXT entries is in [examples/dns-txt][dns-demo]
+
 [ssh-sign]: bin/ssh-sign
-[demo]: ./example/
+[web-demo]: ./examples/web-demo
+[dns-demo]: ./examples/dns-txt-demo
 [http-client]: https://packagist.org/providers/psr/http-client-implementation
 [simple-cache]: https://packagist.org/providers/psr/simple-cache-implementation
 [http-factory]: https://packagist.org/providers/psr/http-factory-implementation

cli/Makefile

@@ -4,9 +4,9 @@
 BUILD_PATH := $(shell mktemp -d)
 
 ../bin/ssh-verify: tools/box ${BUILD_PATH}/vendor
-	@echo "${BUILD_PATH}"
 	@tools/box/vendor/bin/box compile -d "${BUILD_PATH}"
 	@mv "${BUILD_PATH}/index.phar" ../bin/ssh-verify
+	@rm -fr "${BUILD_PATH}"
 
 ${BUILD_PATH}/vendor:
 	@cp composer.json composer.lock "${BUILD_PATH}"

examples/.gitignore

@@ -0,0 +1,3 @@
+*.txt
+*.sig
+*.json

examples/dns-txt-demo/.gitignore

@@ -0,0 +1,4 @@
+id_ecdsa
+id_ecdsa.pub
+message.txt
+message.txt.sig

examples/dns-txt-demo/demo.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+
+if [[ -z "$DO_TOKEN" ]]; then
+  echo "This example uses DigitalOcean API key to set DNS entries, DO_TOKEN is required" >&2
+  exit 2
+fi
+
+if [[ ! -f "../../bin/ssh-verify" ]]; then
+  {
+    echo "The ssh-verify utility has not been built."
+    echo "Use make -c cli from the root directory to build it."
+  } >&2
+  exit 3
+fi
+
+set -euo pipefail
+
+cleanup() {
+  echo "Cleaning up"
+  while read -r file; do rm -fr "$file" 2>/dev/null; done < .gitignore
+}
+
+usage() {
+  echo "usage: $0 <domain>" >&2
+  exit 1
+}
+
+set-dns-txt-record() {
+  declare domain="$1" name="$2"
+
+  local payload
+  payload="$(
+    jq -n \
+      --arg type TXT \
+      --arg name "$name" \
+      --arg data "$(cat "id_ecdsa.pub")" \
+      '{ $type, $name, $data }'
+  )"
+
+  curl --silent -X POST "https://api.digitalocean.com/v2/domains/$domain/records" \
+    --header "Authorization: Bearer $DO_TOKEN" \
+    --header "Content-Type: application/json" \
+    --data "$payload" >/dev/null
+}
+
+main() {
+  declare domain="${1:-}"
+  if [[ -z "$domain" ]]; then
+    usage
+  fi
+  local namespace="dns-txt-demo"
+
+  trap 'cleanup' EXIT
+
+  # generate a random ecdsa key, because DO has a limit of 512 characters for TXT records
+  ssh-keygen -q -t ecdsa -f ./id_ecdsa -N ""
+
+  local host_name
+  host_name="dns-txt-demo-"$(openssl rand -base64 8 | tr -dc A-Za-z0-9 | head -c 10)
+
+  set-dns-txt-record "$domain" "$host_name"
+
+  # generate a message
+  date > message.txt
+
+  # sign
+  ssh-keygen -Y sign -n "$namespace" -f "id_ecdsa" message.txt
+
+  php verify.php "dns://$domain/$host_name" "$namespace" message.txt
+}
+
+main "$@"

examples/dns-txt-demo/verify.php

@@ -0,0 +1,75 @@
+<?php
+declare(strict_types=1);
+
+use WonderNetwork\SshPubkeyPayloadVerification\Key\Key;
+use WonderNetwork\SshPubkeyPayloadVerification\Key\KeyCollection;
+use WonderNetwork\SshPubkeyPayloadVerification\Key\KeyRepository;
+use WonderNetwork\SshPubkeyPayloadVerification\KeyMismatchException;
+use WonderNetwork\SshPubkeyPayloadVerification\ValidatorBuilder;
+
+require_once __DIR__ . '/../../vendor/autoload.php';
+
+[, $sender, $namespace, $messageFile] = $argv;
+
+$message = file_get_contents($messageFile);
+$signature = file_get_contents($messageFile.'.sig');
+
+function get_keys_from_dns(string $domain, string $hostName): KeyCollection {
+    $records = dns_get_record(sprintf('%s.%s', $hostName, $domain), DNS_TXT);
+    if (false === $records) {
+        return KeyCollection::empty();
+    }
+
+    $keys = array_map(
+        /** @param array{txt:string} $record */
+        static function (array $record) {
+            [$type, $key] = explode(' ', $record['txt']);
+            return new Key(type: $type, publicKey: $key);
+        },
+        $records,
+    );
+
+    return KeyCollection::of(...$keys);
+}
+
+$dnsTxtRepository = new class (ValidatorBuilder::start()->standardKeyRepository()) implements KeyRepository {
+    public function __construct(private KeyRepository $standardKeyRepository) {
+    }
+
+    public function all(string $sender): KeyCollection {
+        $url = parse_url($sender);
+        return match ($url['scheme'] ?? null) {
+            'dns' => get_keys_from_dns(
+                $url['host'] ?? throw new RuntimeException('Host is required'),
+                ltrim($url['path'] ?? throw new RuntimeException('Path is required'), '/'),
+            ),
+            default => $this->standardKeyRepository->all($sender),
+        };
+    }
+};
+
+$validator = ValidatorBuilder::start()
+    ->withCustomKeyRepository($dnsTxtRepository)
+    ->build();
+
+try {
+    $badSender = $sender . '-404';
+    $validator->validate($badSender, $namespace, $message, $signature);
+} catch (KeyMismatchException $e) {
+    if ($e->allowed->isEmpty()) {
+        echo "Dummy validation failed as expected, because there are no TXT records ";
+        echo "under the $badSender hostname\n";
+    } else {
+        echo "Unexpected error: {$e->getMessage()}\n";
+    }
+} catch (\Throwable $e) {
+    echo "Unexpected error: {$e->getMessage()}\n";
+}
+
+try {
+    $validator->validate($sender, $namespace, $message, $signature);
+} catch (\Throwable $e) {
+    echo "Unexpected error: {$e->getMessage()}\n";
+    exit(1);
+}
+echo "Validation successful\n";

example/.gitignore renamed to examples/web-demo/.gitignore

@@ -4,7 +4,7 @@
 use WonderNetwork\SshPubkeyPayloadVerification\ValidatorBuilder;
 use WonderNetwork\SshPubkeyPayloadVerification\ValidatorException;
 
-require __DIR__.'/../vendor/autoload.php';
+require __DIR__.'/../../vendor/autoload.php';
 
 $sender = sprintf("ssh://%s", $_SERVER['REMOTE_ADDR']);
 $namespace = $_POST['namespace'];