feat(pki): Make server verify accept payload

Closes #11940

Author: FirelightFlagboy

server/parsec/components/memory/pki.py

@@ -9,7 +9,6 @@
     DeviceID,
     HumanHandle,
     OrganizationID,
-    PkiEnrollmentAnswerPayload,
     PKIEnrollmentID,
     PkiInvalidCertificateDER,
     PkiInvalidSignature,
@@ -19,6 +18,7 @@
     UserCertificate,
     UserProfile,
     VerifyKey,
+    load_accept_payload,
     load_submit_payload,
 )
 from parsec.ballpark import RequireGreaterTimestamp, TimestampOutOfBallpark
@@ -36,7 +36,7 @@
 from parsec.components.pki import (
     BasePkiEnrollmentComponent,
     PkiCertificate,
-    PkiEnrollmentAcceptStoreBadOutcome,
+    PkiEnrollmentAcceptBadOutcome,
     PkiEnrollmentAcceptValidateBadOutcome,
     PkiEnrollmentInfo,
     PkiEnrollmentInfoAccepted,
@@ -390,38 +390,50 @@ async def accept(
     ) -> (
         tuple[UserCertificate, DeviceCertificate]
         | PkiEnrollmentAcceptValidateBadOutcome
-        | PkiEnrollmentAcceptStoreBadOutcome
+        | PkiEnrollmentAcceptBadOutcome
         | TimestampOutOfBallpark
         | RequireGreaterTimestamp
     ):
         try:
             org = self._data.organizations[organization_id]
         except KeyError:
-            return PkiEnrollmentAcceptStoreBadOutcome.ORGANIZATION_NOT_FOUND
+            return PkiEnrollmentAcceptBadOutcome.ORGANIZATION_NOT_FOUND
         if org.is_expired:
-            return PkiEnrollmentAcceptStoreBadOutcome.ORGANIZATION_EXPIRED
+            return PkiEnrollmentAcceptBadOutcome.ORGANIZATION_EXPIRED
 
         # 1) Write lock common topic
 
         async with org.topics_lock(write=["common"]) as (common_topic_last_timestamp,):
             try:
                 author_device = org.devices[author]
             except KeyError:
-                return PkiEnrollmentAcceptStoreBadOutcome.AUTHOR_NOT_FOUND
+                return PkiEnrollmentAcceptBadOutcome.AUTHOR_NOT_FOUND
             author_user_id = author_device.cooked.user_id
 
             author_user = org.users[author_user_id]
             if author_user.is_revoked:
-                return PkiEnrollmentAcceptStoreBadOutcome.AUTHOR_REVOKED
+                return PkiEnrollmentAcceptBadOutcome.AUTHOR_REVOKED
 
             if author_user.current_profile != UserProfile.ADMIN:
-                return PkiEnrollmentAcceptStoreBadOutcome.AUTHOR_NOT_ALLOWED
+                return PkiEnrollmentAcceptBadOutcome.AUTHOR_NOT_ALLOWED
 
             # 2) Validate certificates
             try:
-                PkiEnrollmentAnswerPayload.load(payload)
+                load_accept_payload(
+                    SignedMessage(payload_signature_algorithm, payload_signature, payload),
+                    accepter_trustchain[0].content,
+                    list(map(lambda v: v.content, accepter_trustchain[1:])),
+                    self._config.x509_trust_anchor,
+                    now,
+                )
+            except PkiUntrusted:
+                return PkiEnrollmentAcceptBadOutcome.INVALID_X509_TRUSTCHAIN
+            except PkiInvalidCertificateDER:
+                return PkiEnrollmentAcceptBadOutcome.INVALID_DER_X509_CERTIFICATE
+            except PkiInvalidSignature:
+                return PkiEnrollmentAcceptBadOutcome.INVALID_PAYLOAD_SIGNATURE
             except ValueError:
-                return PkiEnrollmentAcceptStoreBadOutcome.INVALID_ACCEPT_PAYLOAD
+                return PkiEnrollmentAcceptBadOutcome.INVALID_ACCEPT_PAYLOAD
 
             match pki_enrollment_accept_validate(
                 now=now,
@@ -452,25 +464,25 @@ async def accept(
             try:
                 enrollment = org.pki_enrollments[enrollment_id]
             except KeyError:
-                return PkiEnrollmentAcceptStoreBadOutcome.ENROLLMENT_NOT_FOUND
+                return PkiEnrollmentAcceptBadOutcome.ENROLLMENT_NOT_FOUND
 
             if enrollment.enrollment_state != MemoryPkiEnrollmentState.SUBMITTED:
-                return PkiEnrollmentAcceptStoreBadOutcome.ENROLLMENT_NO_LONGER_AVAILABLE
+                return PkiEnrollmentAcceptBadOutcome.ENROLLMENT_NO_LONGER_AVAILABLE
 
             # 6) Check the user_id/device_id don't already exists and human_handle
             # is not already taken
 
             if org.active_user_limit_reached():
-                return PkiEnrollmentAcceptStoreBadOutcome.ACTIVE_USERS_LIMIT_REACHED
+                return PkiEnrollmentAcceptBadOutcome.ACTIVE_USERS_LIMIT_REACHED
 
             if u_certif.user_id in org.users:
-                return PkiEnrollmentAcceptStoreBadOutcome.USER_ALREADY_EXISTS
+                return PkiEnrollmentAcceptBadOutcome.USER_ALREADY_EXISTS
             assert d_certif.device_id not in org.devices
 
             if any(
                 True for u in org.active_users() if u.cooked.human_handle == u_certif.human_handle
             ):
-                return PkiEnrollmentAcceptStoreBadOutcome.HUMAN_HANDLE_ALREADY_TAKEN
+                return PkiEnrollmentAcceptBadOutcome.HUMAN_HANDLE_ALREADY_TAKEN
 
             # 7) All checks are good, now we do the actual insertion
 

server/parsec/components/pki.py

@@ -246,7 +246,7 @@ class PkiEnrollmentRejectBadOutcome(BadOutcomeEnum):
     ENROLLMENT_NO_LONGER_AVAILABLE = auto()
 
 
-class PkiEnrollmentAcceptStoreBadOutcome(BadOutcomeEnum):
+class PkiEnrollmentAcceptBadOutcome(BadOutcomeEnum):
     ORGANIZATION_NOT_FOUND = auto()
     ORGANIZATION_EXPIRED = auto()
     AUTHOR_NOT_FOUND = auto()
@@ -258,6 +258,7 @@ class PkiEnrollmentAcceptStoreBadOutcome(BadOutcomeEnum):
     HUMAN_HANDLE_ALREADY_TAKEN = auto()
     ACTIVE_USERS_LIMIT_REACHED = auto()
     INVALID_ACCEPT_PAYLOAD = auto()
+    INVALID_PAYLOAD_SIGNATURE = auto()
     INVALID_X509_TRUSTCHAIN = auto()
     INVALID_DER_X509_CERTIFICATE = auto()
 
@@ -321,7 +322,7 @@ async def accept(
     ) -> (
         tuple[UserCertificate, DeviceCertificate]
         | PkiEnrollmentAcceptValidateBadOutcome
-        | PkiEnrollmentAcceptStoreBadOutcome
+        | PkiEnrollmentAcceptBadOutcome
         | TimestampOutOfBallpark
         | RequireGreaterTimestamp
     ):
@@ -593,28 +594,31 @@ async def api_pki_enrollment_accept(
         match outcome:
             case (_, _):
                 return authenticated_cmds.latest.pki_enrollment_accept.RepOk()
-            case PkiEnrollmentAcceptStoreBadOutcome.ENROLLMENT_NO_LONGER_AVAILABLE:
+            case PkiEnrollmentAcceptBadOutcome.ENROLLMENT_NO_LONGER_AVAILABLE:
                 return (
                     authenticated_cmds.latest.pki_enrollment_accept.RepEnrollmentNoLongerAvailable()
                 )
-            case PkiEnrollmentAcceptStoreBadOutcome.USER_ALREADY_EXISTS:
+            case PkiEnrollmentAcceptBadOutcome.USER_ALREADY_EXISTS:
                 return authenticated_cmds.latest.pki_enrollment_accept.RepUserAlreadyExists()
-            case PkiEnrollmentAcceptStoreBadOutcome.HUMAN_HANDLE_ALREADY_TAKEN:
+            case PkiEnrollmentAcceptBadOutcome.HUMAN_HANDLE_ALREADY_TAKEN:
                 return authenticated_cmds.latest.pki_enrollment_accept.RepHumanHandleAlreadyTaken()
-            case PkiEnrollmentAcceptStoreBadOutcome.ACTIVE_USERS_LIMIT_REACHED:
+            case PkiEnrollmentAcceptBadOutcome.ACTIVE_USERS_LIMIT_REACHED:
                 return authenticated_cmds.latest.pki_enrollment_accept.RepActiveUsersLimitReached()
-            case PkiEnrollmentAcceptStoreBadOutcome.ENROLLMENT_NOT_FOUND:
+            case PkiEnrollmentAcceptBadOutcome.ENROLLMENT_NOT_FOUND:
                 return authenticated_cmds.latest.pki_enrollment_accept.RepEnrollmentNotFound()
-            case PkiEnrollmentAcceptStoreBadOutcome.AUTHOR_NOT_ALLOWED:
+            case PkiEnrollmentAcceptBadOutcome.AUTHOR_NOT_ALLOWED:
                 return authenticated_cmds.latest.pki_enrollment_accept.RepAuthorNotAllowed()
-            case PkiEnrollmentAcceptStoreBadOutcome.INVALID_ACCEPT_PAYLOAD:
+            case PkiEnrollmentAcceptBadOutcome.INVALID_ACCEPT_PAYLOAD:
                 return authenticated_cmds.latest.pki_enrollment_accept.RepInvalidPayload()
-            case PkiEnrollmentAcceptStoreBadOutcome.INVALID_X509_TRUSTCHAIN:
+            case PkiEnrollmentAcceptBadOutcome.INVALID_X509_TRUSTCHAIN:
                 return authenticated_cmds.latest.pki_enrollment_accept.RepInvalidX509Trustchain()
-            case PkiEnrollmentAcceptStoreBadOutcome.INVALID_DER_X509_CERTIFICATE:
+            case PkiEnrollmentAcceptBadOutcome.INVALID_DER_X509_CERTIFICATE:
                 return (
                     authenticated_cmds.latest.pki_enrollment_accept.RepInvalidDerX509Certificate()
                 )
+            case PkiEnrollmentAcceptBadOutcome.INVALID_PAYLOAD_SIGNATURE:
+                return authenticated_cmds.latest.pki_enrollment_accept.RepInvalidPayloadSignature()
+
             # TODO: https://github.com/Scille/parsec-cloud/issues/11648
             case PkiEnrollmentAcceptValidateBadOutcome():
                 raise NotImplementedError()
@@ -629,11 +633,11 @@ async def api_pki_enrollment_accept(
                 return authenticated_cmds.latest.pki_enrollment_accept.RepRequireGreaterTimestamp(
                     strictly_greater_than=error.strictly_greater_than
                 )
-            case PkiEnrollmentAcceptStoreBadOutcome.ORGANIZATION_NOT_FOUND:
+            case PkiEnrollmentAcceptBadOutcome.ORGANIZATION_NOT_FOUND:
                 client_ctx.organization_not_found_abort()
-            case PkiEnrollmentAcceptStoreBadOutcome.ORGANIZATION_EXPIRED:
+            case PkiEnrollmentAcceptBadOutcome.ORGANIZATION_EXPIRED:
                 client_ctx.organization_expired_abort()
-            case PkiEnrollmentAcceptStoreBadOutcome.AUTHOR_NOT_FOUND:
+            case PkiEnrollmentAcceptBadOutcome.AUTHOR_NOT_FOUND:
                 client_ctx.author_not_found_abort()
-            case PkiEnrollmentAcceptStoreBadOutcome.AUTHOR_REVOKED:
+            case PkiEnrollmentAcceptBadOutcome.AUTHOR_REVOKED:
                 client_ctx.author_revoked_abort()

server/parsec/components/postgresql/pki.py

@@ -18,7 +18,7 @@
 from parsec.components.pki import (
     BasePkiEnrollmentComponent,
     PkiCertificate,
-    PkiEnrollmentAcceptStoreBadOutcome,
+    PkiEnrollmentAcceptBadOutcome,
     PkiEnrollmentAcceptValidateBadOutcome,
     PkiEnrollmentInfo,
     PkiEnrollmentInfoBadOutcome,
@@ -139,7 +139,7 @@ async def accept(
     ) -> (
         tuple[UserCertificate, DeviceCertificate]
         | PkiEnrollmentAcceptValidateBadOutcome
-        | PkiEnrollmentAcceptStoreBadOutcome
+        | PkiEnrollmentAcceptBadOutcome
         | TimestampOutOfBallpark
         | RequireGreaterTimestamp
     ):
@@ -158,4 +158,5 @@ async def accept(
             submitter_redacted_user_certificate,
             submitter_device_certificate,
             submitter_redacted_device_certificate,
+            self._config,
         )

server/parsec/components/postgresql/pki_accept.py

@@ -6,17 +6,21 @@
     DeviceCertificate,
     DeviceID,
     OrganizationID,
-    PkiEnrollmentAnswerPayload,
     PKIEnrollmentID,
+    PkiInvalidCertificateDER,
+    PkiInvalidSignature,
     PkiSignatureAlgorithm,
+    PkiUntrusted,
+    SignedMessage,
     UserCertificate,
     UserProfile,
     VerifyKey,
+    load_accept_payload,
 )
 from parsec.ballpark import RequireGreaterTimestamp, TimestampOutOfBallpark
 from parsec.components.pki import (
     PkiCertificate,
-    PkiEnrollmentAcceptStoreBadOutcome,
+    PkiEnrollmentAcceptBadOutcome,
     PkiEnrollmentAcceptValidateBadOutcome,
     pki_enrollment_accept_validate,
 )
@@ -30,6 +34,7 @@
 )
 from parsec.components.postgresql.user_create_user import _q_insert_user_and_device
 from parsec.components.postgresql.utils import Q
+from parsec.config import BackendConfig
 from parsec.events import EventCommonCertificate, EventPkiEnrollment
 
 _q_get_enrollment = Q("""
@@ -80,10 +85,11 @@ async def pki_accept(
     submitter_redacted_user_certificate: bytes,
     submitter_device_certificate: bytes,
     submitter_redacted_device_certificate: bytes,
+    config: BackendConfig,
 ) -> (
     tuple[UserCertificate, DeviceCertificate]
     | PkiEnrollmentAcceptValidateBadOutcome
-    | PkiEnrollmentAcceptStoreBadOutcome
+    | PkiEnrollmentAcceptBadOutcome
     | TimestampOutOfBallpark
     | RequireGreaterTimestamp
 ):
@@ -96,23 +102,35 @@ async def pki_accept(
         case AuthAndLockCommonOnlyData() as db_common:
             pass
         case AuthAndLockCommonOnlyBadOutcome.ORGANIZATION_NOT_FOUND:
-            return PkiEnrollmentAcceptStoreBadOutcome.ORGANIZATION_NOT_FOUND
+            return PkiEnrollmentAcceptBadOutcome.ORGANIZATION_NOT_FOUND
         case AuthAndLockCommonOnlyBadOutcome.ORGANIZATION_EXPIRED:
-            return PkiEnrollmentAcceptStoreBadOutcome.ORGANIZATION_EXPIRED
+            return PkiEnrollmentAcceptBadOutcome.ORGANIZATION_EXPIRED
         case AuthAndLockCommonOnlyBadOutcome.AUTHOR_NOT_FOUND:
-            return PkiEnrollmentAcceptStoreBadOutcome.AUTHOR_NOT_FOUND
+            return PkiEnrollmentAcceptBadOutcome.AUTHOR_NOT_FOUND
         case AuthAndLockCommonOnlyBadOutcome.AUTHOR_REVOKED:
-            return PkiEnrollmentAcceptStoreBadOutcome.AUTHOR_REVOKED
+            return PkiEnrollmentAcceptBadOutcome.AUTHOR_REVOKED
 
     if db_common.user_current_profile != UserProfile.ADMIN:
-        return PkiEnrollmentAcceptStoreBadOutcome.AUTHOR_NOT_ALLOWED
+        return PkiEnrollmentAcceptBadOutcome.AUTHOR_NOT_ALLOWED
 
     # 2) Validate certificates
 
     try:
-        PkiEnrollmentAnswerPayload.load(payload)
+        load_accept_payload(
+            SignedMessage(payload_signature_algorithm, payload_signature, payload),
+            accepter_trustchain[0].content,
+            list(map(lambda v: v.content, accepter_trustchain[1:])),
+            config.x509_trust_anchor,
+            now,
+        )
+    except PkiUntrusted:
+        return PkiEnrollmentAcceptBadOutcome.INVALID_X509_TRUSTCHAIN
+    except PkiInvalidCertificateDER:
+        return PkiEnrollmentAcceptBadOutcome.INVALID_DER_X509_CERTIFICATE
+    except PkiInvalidSignature:
+        return PkiEnrollmentAcceptBadOutcome.INVALID_PAYLOAD_SIGNATURE
     except ValueError:
-        return PkiEnrollmentAcceptStoreBadOutcome.INVALID_ACCEPT_PAYLOAD
+        return PkiEnrollmentAcceptBadOutcome.INVALID_ACCEPT_PAYLOAD
 
     match pki_enrollment_accept_validate(
         now=now,
@@ -146,7 +164,7 @@ async def pki_accept(
         )
     )
     if enrollment_row is None:
-        return PkiEnrollmentAcceptStoreBadOutcome.ENROLLMENT_NOT_FOUND
+        return PkiEnrollmentAcceptBadOutcome.ENROLLMENT_NOT_FOUND
 
     match enrollment_row["enrollment_internal_id"]:
         case int() as enrollment_internal_id:
@@ -158,7 +176,7 @@ async def pki_accept(
         case True:
             pass
         case False:
-            return PkiEnrollmentAcceptStoreBadOutcome.ENROLLMENT_NO_LONGER_AVAILABLE
+            return PkiEnrollmentAcceptBadOutcome.ENROLLMENT_NO_LONGER_AVAILABLE
         case _:
             assert False, enrollment_row
 
@@ -190,31 +208,31 @@ async def pki_accept(
         case False:
             pass
         case True:
-            return PkiEnrollmentAcceptStoreBadOutcome.HUMAN_HANDLE_ALREADY_TAKEN
+            return PkiEnrollmentAcceptBadOutcome.HUMAN_HANDLE_ALREADY_TAKEN
         case _:
             assert False, row
 
     match row["active_users_limit_reached"]:
         case False:
             pass
         case True:
-            return PkiEnrollmentAcceptStoreBadOutcome.ACTIVE_USERS_LIMIT_REACHED
+            return PkiEnrollmentAcceptBadOutcome.ACTIVE_USERS_LIMIT_REACHED
         case _:
             assert False, row
 
     match row["new_user_internal_id"]:
         case int():
             pass
         case None:
-            return PkiEnrollmentAcceptStoreBadOutcome.USER_ALREADY_EXISTS
+            return PkiEnrollmentAcceptBadOutcome.USER_ALREADY_EXISTS
         case _:
             assert False, row
 
     match row["new_device_internal_id"]:
         case int() as new_device_internal_id:
             pass
         case None:
-            return PkiEnrollmentAcceptStoreBadOutcome.USER_ALREADY_EXISTS
+            return PkiEnrollmentAcceptBadOutcome.USER_ALREADY_EXISTS
         case _:
             assert False, row