feat(broker): verify ed25519 hello signature against member pubkey

WS handshake is now authenticated end-to-end. The broker proves that every connected peer actually holds the secret key for the pubkey they claim as identity — not just that they know the pubkey. wire format change: {type:"hello", meshId, memberId, pubkey, sessionId, pid, cwd, timestamp, signature} where signature = ed25519_sign(canonical, secretKey) and canonical = `${meshId}|${memberId}|${pubkey}|${timestamp}` broker verifies on every hello: 1. timestamp within ±60s of broker clock → else close(1008, timestamp_skew) 2. pubkey is 64 hex chars, signature is 128 hex chars → else malformed 3. crypto_sign_verify_detached(signature, canonical, pubkey) → else bad_signature 4. (existing) mesh.member row exists for (meshId, pubkey) → else unauthorized All rejection paths close the WS with code 1008 + structured error message + metrics counter increment (connections_rejected_total by reason). new modules: - apps/broker/src/crypto.ts: canonicalHello, verifyHelloSignature, HELLO_SKEW_MS constant - apps/cli/src/crypto/hello-sig.ts: matching signHello helper clients updated: - apps/cli/src/ws/client.ts: signs hello before send - apps/broker/scripts/{peer-a,peer-b}.ts (smoke-test): sign hellos with seed-provided secret keys new regression tests — tests/hello-signature.test.ts (7): - valid signature accepted - bad signature (signed with wrong key) rejected - timestamp too old rejected (>60s) - timestamp too far in future rejected (>60s) - tampered canonical field (different meshId at verify time) rejected - malformed hex pubkey rejected - malformed signature length rejected verified live: - apps/broker/scripts/smoke-test.sh: full hello+ack+send+push flow - apps/cli/scripts/roundtrip.ts: signed hello + encrypted message - 55/55 tests pass Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-04 22:53:40 +01:00
parent bde83cc757
commit 9d3dbcecaf
8 changed files with 355 additions and 29 deletions
--- a/apps/cli/src/crypto/hello-sig.ts
+++ b/apps/cli/src/crypto/hello-sig.ts
@@ -0,0 +1,28 @@
+/**
+ * Client-side signing of the WS hello handshake.
+ *
+ * Canonical bytes: `${meshId}|${memberId}|${pubkey}|${timestamp}` —
+ * MUST match the broker's `canonicalHello()` exactly. Any mismatch
+ * (delimiter, field order, whitespace) produces a bad_signature reject.
+ *
+ * Uses the full ed25519 secret key (64 bytes) that libsodium returns
+ * from crypto_sign_keypair — seed || pubkey layout.
+ */
+
+import { ensureSodium } from "./keypair";
+
+export async function signHello(
+  meshId: string,
+  memberId: string,
+  pubkey: string,
+  secretKeyHex: string,
+): Promise<{ timestamp: number; signature: string }> {
+  const s = await ensureSodium();
+  const timestamp = Date.now();
+  const canonical = `${meshId}|${memberId}|${pubkey}|${timestamp}`;
+  const sig = s.crypto_sign_detached(
+    s.from_string(canonical),
+    s.from_hex(secretKeyHex),
+  );
+  return { timestamp, signature: s.to_hex(sig) };
+}
--- a/apps/cli/src/ws/client.ts
+++ b/apps/cli/src/ws/client.ts
@@ -20,6 +20,7 @@ import {
  encryptDirect,
  isDirectTarget,
 } from "../crypto/envelope";
+import { signHello } from "../crypto/hello-sig";

 export type Priority = "now" | "next" | "low";
 export type ConnStatus = "connecting" | "open" | "closed" | "reconnecting";
@@ -97,21 +98,36 @@ export class BrokerClient {
    this.ws = ws;

    return new Promise<void>((resolve, reject) => {
-      const onOpen = (): void => {
-        this.debug("ws open → sending hello");
-        ws.send(
-          JSON.stringify({
-            type: "hello",
-            meshId: this.mesh.meshId,
-            memberId: this.mesh.memberId,
-            pubkey: this.mesh.pubkey,
-            sessionId: `${process.pid}-${Date.now()}`,
-            pid: process.pid,
-            cwd: process.cwd(),
-            signature: "stub", // libsodium sign_detached lands in Step 18
-            nonce: randomNonce(),
-          }),
-        );
+      const onOpen = async (): Promise<void> => {
+        this.debug("ws open → signing + sending hello");
+        try {
+          const { timestamp, signature } = await signHello(
+            this.mesh.meshId,
+            this.mesh.memberId,
+            this.mesh.pubkey,
+            this.mesh.secretKey,
+          );
+          ws.send(
+            JSON.stringify({
+              type: "hello",
+              meshId: this.mesh.meshId,
+              memberId: this.mesh.memberId,
+              pubkey: this.mesh.pubkey,
+              sessionId: `${process.pid}-${Date.now()}`,
+              pid: process.pid,
+              cwd: process.cwd(),
+              timestamp,
+              signature,
+            }),
+          );
+        } catch (e) {
+          reject(
+            new Error(
+              `hello sign failed: ${e instanceof Error ? e.message : e}`,
+            ),
+          );
+          return;
+        }
        // Arm the hello_ack timeout.
        this.helloTimer = setTimeout(() => {
          this.debug("hello_ack timeout");