feat(broker): verify ed25519 hello signature against member pubkey
WS handshake is now authenticated end-to-end. The broker proves that
every connected peer actually holds the secret key for the pubkey
they claim as identity — not just that they know the pubkey.
wire format change:
{type:"hello", meshId, memberId, pubkey, sessionId, pid, cwd,
timestamp, signature}
where signature = ed25519_sign(canonical, secretKey)
and canonical = `${meshId}|${memberId}|${pubkey}|${timestamp}`
broker verifies on every hello:
1. timestamp within ±60s of broker clock → else close(1008, timestamp_skew)
2. pubkey is 64 hex chars, signature is 128 hex chars → else malformed
3. crypto_sign_verify_detached(signature, canonical, pubkey) → else bad_signature
4. (existing) mesh.member row exists for (meshId, pubkey) → else unauthorized
All rejection paths close the WS with code 1008 + structured error
message + metrics counter increment (connections_rejected_total by
reason).
new modules:
- apps/broker/src/crypto.ts: canonicalHello, verifyHelloSignature,
HELLO_SKEW_MS constant
- apps/cli/src/crypto/hello-sig.ts: matching signHello helper
clients updated:
- apps/cli/src/ws/client.ts: signs hello before send
- apps/broker/scripts/{peer-a,peer-b}.ts (smoke-test): sign hellos
with seed-provided secret keys
new regression tests — tests/hello-signature.test.ts (7):
- valid signature accepted
- bad signature (signed with wrong key) rejected
- timestamp too old rejected (>60s)
- timestamp too far in future rejected (>60s)
- tampered canonical field (different meshId at verify time) rejected
- malformed hex pubkey rejected
- malformed signature length rejected
verified live:
- apps/broker/scripts/smoke-test.sh: full hello+ack+send+push flow
- apps/cli/scripts/roundtrip.ts: signed hello + encrypted message
- 55/55 tests pass
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Alejandro Gutiérrez
@@ -8,12 +8,13 @@
|
||||
*/
|
||||
|
||||
import { readFileSync } from "node:fs";
|
||||
import sodium from "libsodium-wrappers";
|
||||
import WebSocket from "ws";
|
||||
|
||||
const seed = JSON.parse(readFileSync("/tmp/smoke-seed.json", "utf-8")) as {
|
||||
meshId: string;
|
||||
peerA: { memberId: string; pubkey: string };
|
||||
peerB: { memberId: string; pubkey: string };
|
||||
peerA: { memberId: string; pubkey: string; secretKey: string };
|
||||
peerB: { memberId: string; pubkey: string; secretKey: string };
|
||||
};
|
||||
|
||||
const BROKER = process.env.BROKER_WS_URL ?? "ws://localhost:7900/ws";
|
||||
@@ -21,8 +22,17 @@ const ws = new WebSocket(BROKER);
|
||||
|
||||
let helloAcked = false;
|
||||
|
||||
ws.on("open", () => {
|
||||
console.log("[peer-a] connected, sending hello");
|
||||
ws.on("open", async () => {
|
||||
await sodium.ready;
|
||||
const timestamp = Date.now();
|
||||
const canonical = `${seed.meshId}|${seed.peerA.memberId}|${seed.peerA.pubkey}|${timestamp}`;
|
||||
const signature = sodium.to_hex(
|
||||
sodium.crypto_sign_detached(
|
||||
sodium.from_string(canonical),
|
||||
sodium.from_hex(seed.peerA.secretKey),
|
||||
),
|
||||
);
|
||||
console.log("[peer-a] connected, sending signed hello");
|
||||
ws.send(
|
||||
JSON.stringify({
|
||||
type: "hello",
|
||||
@@ -32,8 +42,8 @@ ws.on("open", () => {
|
||||
sessionId: "peer-a-session",
|
||||
pid: process.pid,
|
||||
cwd: "/tmp/peer-a",
|
||||
signature: "stub",
|
||||
nonce: "stub",
|
||||
timestamp,
|
||||
signature,
|
||||
}),
|
||||
);
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user