Merge pull request oxen-io#38 from jagerman/subaccounts

Subaccounts & multi-subscribes

Author: jagerman

spns/bytes.hpp

@@ -51,12 +51,30 @@ struct AccountID : bytes<33> {};
 struct Ed25519PK : bytes<32> {};
 struct X25519PK : bytes<32> {};
 struct X25519SK : bytes<32> {};
-struct SubkeyTag : bytes<32> {};
+struct SubaccountTag : bytes<36> {};
 struct Signature : bytes<64> {};
 struct EncKey : bytes<32> {};
 
 struct Blake2B_32 : bytes<32> {};
 
+struct Subaccount {
+    SubaccountTag tag;  /// Provided by the account owner
+    Signature sig;      /// signature of tag, signed by account owner
+
+    // Returns true if two subaccounts have the same tag
+    bool is_same(const Subaccount& other) const { return tag == other.tag; }
+
+    // Returns true if two optional subaccounts refer to the same subaccount or account (i.e. both
+    // empty, or both set to the same subaccount tag).  Does not require identical signatures.
+    static bool is_same(const std::optional<Subaccount>& a, const std::optional<Subaccount>& b) {
+        if (a.has_value() != b.has_value())
+            return false;  // One set, one unset
+        if (!a.has_value())
+            return false;  // Both unset
+        return a->is_same(*b);
+    }
+};
+
 template <typename T, std::enable_if_t<is_bytes<T>, int> = 0>
 inline std::basic_string_view<std::byte> as_bsv(const T& v) {
     return {reinterpret_cast<const std::byte*>(v.data()), T::SIZE};

spns/hive/signature.cpp

@@ -9,33 +9,53 @@
 
 namespace spns::hive {
 
-void verify_signature(std::string_view sig_msg, const Signature& sig, const Ed25519PK& pubkey) {
+void verify_signature(std::string_view sig_msg, const Signature& sig, const Ed25519PK& pubkey, std::string_view descr) {
     if (0 != crypto_sign_verify_detached(sig, as_usv(sig_msg).data(), sig_msg.size(), pubkey))
-        throw signature_verify_failure{"Signature verification failed"};
+        throw signature_verify_failure{std::string{descr} + " verification failed"};
+}
+
+namespace {
+    constexpr std::byte SUBACC_FLAG_READ{0b0001};
+    constexpr std::byte SUBACC_FLAG_ANY_PREFIX{0b1000};
 }
 
 /// Throws signature_verify_failure on signature failure.
 void verify_storage_signature(
         std::string_view sig_msg,
         const Signature& sig,
-        const Ed25519PK& pubkey,
-        const std::optional<SubkeyTag>& subkey_tag) {
+        const SwarmPubkey& pubkey,
+        const std::optional<Subaccount>& subaccount) {
+
+    if (subaccount) {
+        // Parse the subaccount tag:
+        // prefix aka netid (05 for session ids, 03 for groups):
+        auto prefix = subaccount->tag[0];
+        // read/write/etc. flags:
+        auto flags = subaccount->tag[1];
+
+        // If you don't have the read bit we can't help you:
+        if ((flags & SUBACC_FLAG_READ) == std::byte{0})
+            throw signature_verify_failure{"Invalid subaccount: this subaccount does not have read permission"};
 
-    if (subkey_tag) {
-        // H(c || A, key="OxenSSSubkey")
-        auto verify_pubkey = blake2b_keyed<Ed25519PK>(subkey_tag_hash_key, *subkey_tag, pubkey);
+        // Unless the subaccount has the "any prefix" flag, check that the prefix matches the
+        // account prefix:
+        if ((flags & SUBACC_FLAG_ANY_PREFIX) == std::byte{0} &&
+                prefix != pubkey.id[0])
+            throw signature_verify_failure{"Invalid subaccount: subaccount and main account have mismatched network prefix"};
 
-        // c + H(...)
-        crypto_core_ed25519_scalar_add(verify_pubkey, *subkey_tag, verify_pubkey);
+        // Verify that the main account has signed the subaccount tag:
+        verify_signature(subaccount->tag.sv(), subaccount->sig, pubkey.ed25519, "Subaccount auth signature");
 
-        // (c + H(...)) A
-        if (0 != crypto_scalarmult_ed25519_noclamp(verify_pubkey, verify_pubkey, pubkey))
-            throw signature_verify_failure{"Failed to compute subkey: scalarmult failed"};
+        // the subaccount pubkey (starts at [4]; [2] and [3] are future use/null padding):
+        Ed25519PK sub_pk;
+        std::memcpy(sub_pk.data(), &subaccount->tag[4], 32);
 
-        verify_signature(sig_msg, sig, verify_pubkey);
+        // Verify that the subaccount pubkey signed this message (and thus is allowed, transitively,
+        // since the main account signed the subaccount):
+        verify_signature(sig_msg, sig, sub_pk, "Subaccount main signature");
 
     } else {
-        verify_signature(sig_msg, sig, pubkey);
+        verify_signature(sig_msg, sig, pubkey.ed25519);
     }
 }
 

spns/hive/signature.hpp

@@ -4,6 +4,7 @@
 
 #include "../bytes.hpp"
 #include "../utils.hpp"
+#include "../swarmpubkey.hpp"
 
 namespace spns::hive {
 
@@ -14,20 +15,18 @@ class signature_verify_failure : public std::runtime_error {
 };
 
 /// Verifies that the given signature is a valid signature for `sig_msg`.  Supports regular
-/// ed25519_pubkey signatures as well as oxen-storage-server derived subkey signatures (if
-/// `subkey_tag` is given).
-
-inline constexpr auto subkey_tag_hash_key = "OxenSSSubkey"sv;
+/// ed25519_pubkey signatures as well as oxen-storage-server delegated subaccount signatures (if
+/// `subaccount` is given).
 
 // Plain jane Ed25519 signature verification.  Throws a `signature_verify_failure` on verification
 // failure.
-void verify_signature(std::string_view sig_msg, const Signature& sig, const Ed25519PK& pubkey);
+void verify_signature(std::string_view sig_msg, const Signature& sig, const Ed25519PK& pubkey, std::string_view descr = "Signature"sv);
 
 /// Throws signature_verify_failure on signature failure.
 void verify_storage_signature(
         std::string_view sig_msg,
         const Signature& sig,
-        const Ed25519PK& pubkey,
-        const std::optional<SubkeyTag>& subkey_tag);
+        const SwarmPubkey& pubkey,
+        const std::optional<Subaccount>& subaccount);
 
 }  // namespace spns::hive

spns/hive/snode.cpp

@@ -247,7 +247,7 @@ void SNode::check_subs(
                                        + 3 + 36  // 1:p and 33:... (also covers 1:P and 32:...)
                                        + 3 + 2   // 1:n and the le of the l...e list
                                        + 3 + 3   // 1:d and i1e (only if want_data)
-                                       + 3 + 35  // 1:S and 32:... (only if subkey)
+                                       + 3 + 67 + 3 + 39 // 1:S, 64:..., 1:T, 36:... (for subaccount auth)
                     ;
 
             // The biggest int expression we have is i-32768e; this is almost certainly overkill
@@ -263,15 +263,17 @@ void SNode::check_subs(
 
             // keys in ascii-sorted order!
             if (acct.session_ed)
-                dict.append("P", as_sv(acct.ed25519));
-            if (sub.subkey_tag)
-                dict.append("S", as_sv(*sub.subkey_tag));
+                dict.append("P", acct.ed25519.sv());
+            if (sub.subaccount) {
+                dict.append("S", sub.subaccount->sig.sv());
+                dict.append("T", sub.subaccount->tag.sv());
+            }
             if (sub.want_data)
                 dict.append("d", 1);
             dict.append_list("n").append(sub.namespaces.begin(), sub.namespaces.end());
             if (!acct.session_ed)
-                dict.append("p", as_sv(acct.id));
-            dict.append("s", as_sv(sub.sig));
+                dict.append("p", acct.id.sv());
+            dict.append("s", sub.sig.sv());
             dict.append("t", sub.sig_ts);
 
             // Resize away any extra buffer space we didn't fill

spns/hive/subscription.cpp

@@ -29,14 +29,14 @@ static void append_int(std::string& s, Int val) {
 
 Subscription::Subscription(
         const SwarmPubkey& pubkey,
-        std::optional<SubkeyTag> subkey_tag_,
+        std::optional<Subaccount> subaccount_,
         std::vector<int16_t> namespaces_,
         bool want_data_,
         int64_t sig_ts_,
         Signature sig_,
         bool _skip_validation) :
 
-        subkey_tag{std::move(subkey_tag_)},
+        subaccount{std::move(subaccount_)},
         namespaces{std::move(namespaces_)},
         want_data{want_data_},
         sig_ts{sig_ts_},
@@ -74,12 +74,12 @@ Subscription::Subscription(
                 sig_msg += ',';
             append_int(sig_msg, namespaces[i]);
         }
-        verify_storage_signature(sig_msg, sig, pubkey.ed25519, subkey_tag);
+        verify_storage_signature(sig_msg, sig, pubkey, subaccount);
     }
 }
 
 bool Subscription::covers(const Subscription& other) const {
-    if (subkey_tag != other.subkey_tag)
+    if (!Subaccount::is_same(subaccount, other.subaccount))
         return false;
     if (other.want_data && !want_data)
         return false;

spns/hive/subscription.hpp

@@ -42,40 +42,41 @@ class subscribe_error : public std::runtime_error {
 struct Subscription {
     static constexpr std::chrono::seconds SIGNATURE_EXPIRY{14 * 24h};
 
-    std::optional<SubkeyTag> subkey_tag;
+    std::optional<Subaccount> subaccount;
     std::vector<int16_t> namespaces;
     bool want_data;
     int64_t sig_ts;
     Signature sig;
 
     Subscription(
             const SwarmPubkey& pubkey_,
-            std::optional<SubkeyTag> subkey_tag_,
+            std::optional<Subaccount> subaccout_,
             std::vector<int16_t> namespaces_,
             bool want_data_,
             int64_t sig_ts_,
             Signature sig_,
             bool _skip_validation = false);
 
     // Returns true if `this` and `other` represent the same subscription as far as upstream swarm
-    // subscription is concerned.  That is: same subkey, same namespaces, and same want_data value.
-    // The caller is responsible for also ensuring that the subscription applies to the same account
-    // (i.e. has the same SwarmPubkey).
+    // subscription is concerned.  That is: same subaccount tag, same namespaces, and same want_data
+    // value.  The caller is responsible for also ensuring that the subscription applies to the same
+    // account (i.e. has the same SwarmPubkey).
     bool is_same(const Subscription& other) const {
-        return is_same(other.subkey_tag, other.namespaces, other.want_data);
+        return is_same(other.subaccount, other.namespaces, other.want_data);
     }
     // Same as above, but takes the constituent parts.
     bool is_same(
-            const std::optional<SubkeyTag>& o_subkey_tag,
+            const std::optional<Subaccount>& o_subaccount,
             const std::vector<int16_t>& o_namespaces,
             bool o_want_data) const {
-        return subkey_tag == o_subkey_tag && namespaces == o_namespaces && want_data == o_want_data;
+        return Subaccount::is_same(subaccount, o_subaccount) && namespaces == o_namespaces &&
+               want_data == o_want_data;
     }
 
     // Returns true if `this` subscribes to at least everything needed for `other`; `this` can
     // return extra things (e.g. extra namespaces), but cannot omit anything that `other` needs to
-    // send notifications, nor can the two subscriptions use different subkey tags.  This is *only*
-    // valid for two Subscriptions referring to the same account!
+    // send notifications, nor can the two subscriptions use different subaccount tags.  This is
+    // *only* valid for two Subscriptions referring to the same account!
     bool covers(const Subscription& other) const;
 
     bool is_expired(int64_t now) const { return sig_ts < now - SIGNATURE_EXPIRY.count(); }