Switch validation of JWS on incoming requests

[bushjames]

Request Summary:

Current switch implementation relies on participants to validate JWS signatures on incoming requests. It is believed that the switch should do the same before accepting requests that result in funds movements. It has been previously believed that it is not necessary for the switch to validate signatures as no flows are vulnerable so long as both participants are performing signing and signature validation correctly.

Request Details:

• Deadline: asap
• Impact (Teams): core team +?
• Impact (Components): ml-api-adapter

Accountability:

• Owner: DA
• Raised By: @MichaelJBRichards

Decision(s):

• Approved By:
  • JB, MR, PB, VK

Details

• Agreed to proceed with implementation.

Follow-up:

• Passing tests added to existing golden path.

[bushjames]

Discussed at DA call at present time:

• Various transfer API flows discussed and edge-cases considered. What could a bad actor do to compromise any entity in the flow?
  • SK suggests that current situation is low risk given the need for an attacker to compromise both mTLS and ILP secrets in order to send a false message.
  • Participants are expected to send a synchronous error response on signature validation failure (see: https://github.com/mojaloop/central-services-error-handling/blob/master/src/errors.js#L69)
  • It is currently up to the scheme to decide if/when/how to deal with these errors.
• JB: It is currently only necessary for an attacker to compromise TLS and ILP secrets to cause the switch to move funds incorrectly. It should require compromise of all three layers.
• PB: currently we will accept reservations (transfer prepares) without checking signatures. This is a DoS vector. Deemed low risk as any DFSP doing this would be identifiable.

All present are in favour of implementing JWS validation on all incoming API requests to close any edge-case issues.

VK raises that this should be optional via deploy config, enabled by default.

[bushjames]

JB & SK to add to core backlog. How to implement is TBD.

[bushjames]

This is on the core team backlog now. Core team will report back via @elnyry-sam-k when implementation is complete.

[bushjames]

Discussed today. Core team will prioritise for this PI (PI-29).

[bushjames]

Higher priority issues mean this has not been addresses by the core team as yet.