wip: ready new-account for email and google verification

This commit is contained in:
AJ ONeal 2020-08-17 23:14:09 +00:00
parent 9608a7429b
commit 23822cdf09
14 changed files with 1089 additions and 127 deletions

1
go.mod
View File

@ -3,6 +3,7 @@ module git.coolaj86.com/coolaj86/go-mockid
go 1.13 go 1.13
require ( require (
git.rootprojects.org/root/hashcash v1.0.1
git.rootprojects.org/root/keypairs v0.5.2 git.rootprojects.org/root/keypairs v0.5.2
github.com/google/uuid v1.1.1 github.com/google/uuid v1.1.1
github.com/joho/godotenv v1.3.0 github.com/joho/godotenv v1.3.0

2
go.sum
View File

@ -1,3 +1,5 @@
git.rootprojects.org/root/hashcash v1.0.1 h1:PkzwZu4CR5q/hwAntJdvcmNhmP0ONhetMo7rYhIZhZ0=
git.rootprojects.org/root/hashcash v1.0.1/go.mod h1:HdoULUe94o1NVMES5K6aP3p8QGQiIia73F1HNZ1+FkQ=
git.rootprojects.org/root/keypairs v0.5.2 h1:jr+drUUm/REaCDJTl5gT3kF2PwlXygcLsBZlqoKTZZw= git.rootprojects.org/root/keypairs v0.5.2 h1:jr+drUUm/REaCDJTl5gT3kF2PwlXygcLsBZlqoKTZZw=
git.rootprojects.org/root/keypairs v0.5.2/go.mod h1:WGI8PadOp+4LjUuI+wNlSwcJwFtY8L9XuNjuO3213HA= git.rootprojects.org/root/keypairs v0.5.2/go.mod h1:WGI8PadOp+4LjUuI+wNlSwcJwFtY8L9XuNjuO3213HA=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

View File

@ -19,7 +19,7 @@ func Verify(w http.ResponseWriter, r *http.Request) {
return return
} }
var jws *xkeypairs.JWS jws := &xkeypairs.JWS{}
authzParts := strings.Split(r.Header.Get("Authorization"), " ") authzParts := strings.Split(r.Header.Get("Authorization"), " ")
lenAuthz := len(authzParts) lenAuthz := len(authzParts)
@ -27,11 +27,9 @@ func Verify(w http.ResponseWriter, r *http.Request) {
jwt := authzParts[1] jwt := authzParts[1]
jwsParts := strings.Split(jwt, ".") jwsParts := strings.Split(jwt, ".")
if 3 == len(jwsParts) { if 3 == len(jwsParts) {
jws = &xkeypairs.JWS{ jws.Protected = jwsParts[0]
Protected: jwsParts[0], jws.Payload = jwsParts[1]
Payload: jwsParts[1], jws.Signature = jwsParts[2]
Signature: jwsParts[2],
}
} }
} }
@ -41,7 +39,7 @@ func Verify(w http.ResponseWriter, r *http.Request) {
return return
} }
decoder := json.NewDecoder(r.Body) decoder := json.NewDecoder(r.Body)
err := decoder.Decode(&jws) err := decoder.Decode(jws)
if nil != err && io.EOF != err { if nil != err && io.EOF != err {
log.Printf("json decode error: %s", err) log.Printf("json decode error: %s", err)
http.Error(w, "Bad Request: invalid JWS body", http.StatusBadRequest) http.Error(w, "Bad Request: invalid JWS body", http.StatusBadRequest)

101
mockid/hashcash.go Normal file
View File

@ -0,0 +1,101 @@
package mockid
import (
"errors"
"net/http"
"sync"
"time"
"git.rootprojects.org/root/hashcash"
)
var hashcashes = &hashcashDB{
db: sync.Map{},
}
func NewHashcash(sub string, exp time.Time) *hashcash.Hashcash {
h := hashcash.New(hashcash.Hashcash{
Subject: sub,
ExpiresAt: exp,
})
// ignoring the error because this implementation is backed by an in-memory map
_ = hashcashes.Store(h.Nonce, h)
return h
}
var ErrNotFound = errors.New("not found")
func UseHashcash(hc string) error {
phony, err := hashcash.Parse(hc)
if nil != err {
return err
}
hi, ok, _ := hashcashes.Load(phony.Nonce)
if !ok {
return ErrNotFound
}
mccoy := hi.(*hashcash.Hashcash)
mccopy := *mccoy
mccopy.Solution = phony.Solution
if err := mccopy.Verify("*"); nil != err {
return err
}
_ = hashcashes.Delete(mccoy.Nonce)
return nil
}
func issueHashcash(w http.ResponseWriter, r *http.Request) *hashcash.Hashcash {
h := NewHashcash(r.Host, time.Now().Add(5*time.Minute))
w.Header().Set("Hashcash-Challenge", h.String())
return h
}
func requireHashcash(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
hc := r.Header.Get("Hashcash")
_ = issueHashcash(w, r)
if err := UseHashcash(hc); nil != err {
http.Error(w, "Bad Request", http.StatusBadRequest)
return
}
next(w, r)
}
}
type hashcashDB struct {
db sync.Map
}
func (h *hashcashDB) Load(key interface{}) (value interface{}, ok bool, err error) {
v, ok := h.db.Load(key)
return v, ok, nil
}
func (h *hashcashDB) Store(key interface{}, value interface{}) (err error) {
h.db.Store(key, value)
return nil
}
func (h *hashcashDB) Delete(key interface{}) (err error) {
h.db.Delete(key)
return nil
}
func (h *hashcashDB) vacuum() (err error) {
now := time.Now().UTC()
h.db.Range(func(key interface{}, val interface{}) bool {
v := val.(*hashcash.Hashcash)
if v.ExpiresAt.Sub(now) < 0 {
h.db.Delete(key)
}
return true
})
return nil
}

View File

@ -11,11 +11,9 @@ import (
"fmt" "fmt"
"io" "io"
"math/big" "math/big"
"net/http"
"net/url" "net/url"
"os" "os"
"strconv" "strconv"
"sync"
"time" "time"
"git.coolaj86.com/coolaj86/go-mockid/xkeypairs" "git.coolaj86.com/coolaj86/go-mockid/xkeypairs"
@ -34,6 +32,13 @@ type PublicJWK struct {
Y string `json:"y"` Y string `json:"y"`
} }
type KVDB interface {
Load(key interface{}) (value interface{}, ok bool, err error)
Store(key interface{}) (value interface{}, err error)
Delete(key interface{}) (err error)
vacuum() (err error)
}
type InspectableToken struct { type InspectableToken struct {
Public keypairs.PublicKey `json:"jwk"` Public keypairs.PublicKey `json:"jwk"`
Protected map[string]interface{} `json:"protected"` Protected map[string]interface{} `json:"protected"`
@ -57,9 +62,6 @@ func (t *InspectableToken) MarshalJSON() ([]byte, error) {
var defaultFrom string var defaultFrom string
var defaultReplyTo string var defaultReplyTo string
//var nonces map[string]int64
//var nonCh chan string
var nonces sync.Map
var salt []byte var salt []byte
func Init() { func Init() {
@ -82,6 +84,13 @@ func Init() {
} }
}() }()
*/ */
go func() {
for {
time.Sleep(15 * time.Second)
hashcashes.vacuum()
}
}()
} }
func GenToken(host string, privkey keypairs.PrivateKey, query url.Values) (string, string, string) { func GenToken(host string, privkey keypairs.PrivateKey, query url.Values) (string, string, string) {
@ -164,40 +173,3 @@ func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
return false return false
} }
} }
func issueNonce(w http.ResponseWriter, r *http.Request) {
b := make([]byte, 16)
_, _ = rand.Read(b)
nonce := base64.RawURLEncoding.EncodeToString(b)
//nonCh <- nonce
nonces.Store(nonce, time.Now())
w.Header().Set("Replay-Nonce", nonce)
}
func requireNonce(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
nonce := r.Header.Get("Replay-Nonce")
// TODO expire nonces every so often
//t := nonces[nonce]
var t time.Time
tmp, ok := nonces.Load(nonce)
if ok {
t = tmp.(time.Time)
}
if !ok || time.Now().Sub(t) > 15*time.Minute {
http.Error(
w,
`{ "error": "invalid or expired nonce", "error_code": "ENONCE" }`,
http.StatusBadRequest,
)
return
}
//delete(nonces, nonce)
nonces.Delete(nonce)
issueNonce(w, r)
next(w, r)
}
}

64
mockid/nonce.go Normal file
View File

@ -0,0 +1,64 @@
package mockid
import (
"crypto/rand"
"encoding/base64"
"net/http"
"sync"
"time"
)
//var nonces map[string]int64
//var nonCh chan string
var nonces sync.Map
func issueNonce(w http.ResponseWriter, r *http.Request) {
b := make([]byte, 16)
_, _ = rand.Read(b)
nonce := base64.RawURLEncoding.EncodeToString(b)
//nonCh <- nonce
nonces.Store(nonce, time.Now())
w.Header().Set("Replay-Nonce", nonce)
}
func requireNonce(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
nonce := r.Header.Get("Replay-Nonce")
// TODO expire nonces every so often
//t := nonces[nonce]
if !useNonce(nonce) {
http.Error(
w,
`{ "error": "invalid or expired nonce", "error_code": "ENONCE" }`,
http.StatusBadRequest,
)
return
}
issueNonce(w, r)
next(w, r)
}
}
func checkNonce(nonce string) bool {
var t time.Time
tmp, ok := nonces.Load(nonce)
if ok {
t = tmp.(time.Time)
}
if ok && time.Now().Sub(t) <= 15*time.Minute {
return true
}
return false
}
func useNonce(nonce string) bool {
if checkNonce(nonce) {
//delete(nonces, nonce)
nonces.Delete(nonce)
return true
}
return false
}

View File

@ -6,6 +6,7 @@ import (
"crypto/sha512" "crypto/sha512"
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"errors"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"log" "log"
@ -23,94 +24,150 @@ import (
"github.com/google/uuid" "github.com/google/uuid"
) )
type HTTPResponse struct {
Error string `json:"error"`
Success bool `json:"success"`
}
// Route returns an HTTP Mux containing the full API // Route returns an HTTP Mux containing the full API
func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler { func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler {
Init() Init()
// TODO get from main() // TODO get from main()
tokPrefix := jwksPrefix tokenPrefix = jwksPrefix
pubkey := keypairs.NewPublicKey(privkey.Public()) pubkey := keypairs.NewPublicKey(privkey.Public())
http.HandleFunc("/api/new-nonce", func(w http.ResponseWriter, r *http.Request) { http.HandleFunc("/api/new-hashcash", func(w http.ResponseWriter, r *http.Request) {
baseURL := getBaseURL(r) if "POST" != r.Method {
/* http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
res.statusCode = 200; return
res.setHeader("Cache-Control", "max-age=0, no-cache, no-store"); }
// TODO
//res.setHeader("Date", "Sun, 10 Mar 2019 08:04:45 GMT"); indexURL := getBaseURL(r) + "/api/directory"
// is this the expiration of the nonce itself? methinks maybe so
//res.setHeader("Expires", "Sun, 10 Mar 2019 08:04:45 GMT");
// TODO use one of the registered domains
//var indexURL = "https://acme-staging-v02.api.letsencrypt.org/index"
*/
//var port = (state.config.ipc && state.config.ipc.port || state._ipc.port || undefined);
//var indexURL = "http://localhost:" + port + "/index";
indexURL := baseURL + "/index"
w.Header().Set("Link", "<"+indexURL+">;rel=\"index\"") w.Header().Set("Link", "<"+indexURL+">;rel=\"index\"")
w.Header().Set("Date", time.Now().Format(http.TimeFormat))
// disable caching in every possible way
w.Header().Set("Expires", time.Now().Format(http.TimeFormat))
w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store") w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store")
w.Header().Set("Pragma", "no-cache") w.Header().Set("Pragma", "no-cache")
//res.setHeader("Strict-Transport-Security", "max-age=604800"); w.Header().Set("Strict-Transport-Security", "max-age=604800")
w.Header().Set("X-Frame-Options", "DENY") w.Header().Set("X-Frame-Options", "DENY")
issueNonce(w, r)
h := issueHashcash(w, r)
b, _ := json.Marshal(h)
w.Write(b)
}) })
http.HandleFunc("/api/new-account", requireNonce(func(w http.ResponseWriter, r *http.Request) { http.HandleFunc("/api/new-nonce", requireHashcash(func(w http.ResponseWriter, r *http.Request) {
// Try to decode the request body into the struct. If there is an error, indexURL := getBaseURL(r) + "/api/directory"
// respond to the client with the error message and a 400 status code. w.Header().Set("Link", "<"+indexURL+">;rel=\"index\"")
data := map[string]string{}
err := json.NewDecoder(r.Body).Decode(&data) w.Header().Set("Date", time.Now().Format(http.TimeFormat))
if nil != err { // disable caching in every possible way
http.Error(w, err.Error(), http.StatusBadRequest) w.Header().Set("Expires", time.Now().Format(http.TimeFormat))
w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store")
w.Header().Set("Pragma", "no-cache")
w.Header().Set("Strict-Transport-Security", "max-age=604800")
w.Header().Set("X-Frame-Options", "DENY")
issueNonce(w, r)
}))
http.HandleFunc("/api/test-hashcash", func(w http.ResponseWriter, r *http.Request) {
if err := UseHashcash(r.Header.Get("Hashcash")); nil != err {
b, _ := json.Marshal(&HTTPResponse{
Error: err.Error(),
})
w.Write(b)
return return
} }
// TODO check DNS for MX records b, _ := json.Marshal(&HTTPResponse{
parts := strings.Split(data["to"], ", <>\n\r\t") Success: true,
to := parts[0] })
if len(parts) > 1 || !strings.Contains(to, "@") { w.Write(b)
http.Error(w, "invalid email address", http.StatusBadRequest) })
type NewAccount struct {
Contact []string `json:"contact"`
TermsOfServiceAgreed bool `json:"termsOfServiceAgreed"`
}
http.HandleFunc("/api/new-account", func(w http.ResponseWriter, r *http.Request) {
myURL := getBaseURL(r) + r.URL.Path
jws := &xkeypairs.JWS{}
decoder := json.NewDecoder(r.Body)
if err := decoder.Decode(jws); nil != err {
http.Error(w, "Bad Request", http.StatusBadRequest)
return
}
defer r.Body.Close()
if err := jws.DecodeComponents(); nil != err {
http.Error(w, "Bad Request", http.StatusBadRequest)
fmt.Fprintf(w, `{"error":%q}`+"\n", err)
return return
} }
// TODO expect JWK in JWS/JWT kid, _ := jws.Header["kid"].(string)
// TODO place validated JWK into file with token if "" != kid {
http.Error(w, "Bad Request", http.StatusBadRequest)
token, err := uuid.NewRandom() fmt.Fprintf(w, `{"error":"jws must include protected jwk, which is mutually exclusive from kid"}`+"\n")
if nil != err {
// nothing else to do if we run out of random
// or are on a platform that doesn't support random
panic(fmt.Errorf("random bytes read failure: %w", err))
}
token64 := base64.RawURLEncoding.EncodeToString([]byte(token[:]))
// hash token to prevent fs read timing attacks
hash := sha1.Sum(append(token[:], salt...))
tokname := base64.RawURLEncoding.EncodeToString(hash[:])
if err := ioutil.WriteFile(
filepath.Join(tokPrefix, tokname+".tok.txt"),
[]byte(`{"comment":"I have no idea..."}`),
os.FileMode(0600),
); nil != err {
http.Error(w, "database connection failed when writing verification token", http.StatusInternalServerError)
return return
} }
subject := "Verify New Account"
// TODO go tpl alg, _ := jws.Header["alg"].(string)
// TODO determine OS and Browser from user agent if !strings.HasSuffix(alg, "256") {
http.Error(w, "Bad Request", http.StatusBadRequest)
fmt.Fprintf(w, `{"error":"invalid jws protected algorithm"}`+"\n")
return
}
nonce, _ := jws.Header["nonce"].(string)
if !useNonce(nonce) {
http.Error(w, "Bad Request", http.StatusBadRequest)
fmt.Fprintf(w, `{"error":"invalid jws protected nonce"}`+"\n")
return
}
jwsURL, _ := jws.Header["url"].(string)
if myURL != jwsURL {
http.Error(w, "Bad Request", http.StatusBadRequest)
fmt.Fprintf(w, `{"error":"invalid jws protected target URL"}`+"\n")
return
}
ok, err := xkeypairs.VerifyClaims(nil, jws)
if nil != err || !ok {
if nil != err {
log.Printf("jws verify error: %s", err)
}
http.Error(w, "Bad Request", http.StatusBadRequest)
fmt.Fprintf(w, `{"error":"could not verify JWS claims"}`+"\n")
return
}
contacts, _ := jws.Claims["contact"].([]string)
contact := ""
if 1 == len(contacts) {
contact = contacts[0]
}
baseURL := getBaseURL(r) baseURL := getBaseURL(r)
text := fmt.Sprintf( if err := startVerification(baseURL, contact); nil != err {
"It looks like you just tried to register a new Pocket ID account.\n\n Verify account: %s/verify/%s\n\nNot you? Just ignore this message.", http.Error(w, "Bad Request", http.StatusBadRequest)
baseURL, token64, msg, _ := json.Marshal(err.Error())
) fmt.Fprintf(w, `{"error":%s}`+"\n", msg)
_, err = SendSimpleMessage(to, defaultFrom, subject, text, defaultReplyTo)
if nil != err {
// TODO neuter mailgun output
http.Error(w, err.Error(), http.StatusBadRequest)
return return
} }
fmt.Fprintf(w, `{ "success": true, "error": "" }%s`, "\n") fmt.Fprintf(w, `{ "success": true, "error": "" }%s`, "\n")
})) })
// TODO use chi // TODO use chi
http.HandleFunc("/verify/", requireNonce(func(w http.ResponseWriter, r *http.Request) { http.HandleFunc("/verify/", requireNonce(func(w http.ResponseWriter, r *http.Request) {
@ -119,24 +176,13 @@ func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler {
http.Error(w, "invalid url path", http.StatusBadRequest) http.Error(w, "invalid url path", http.StatusBadRequest)
return return
} }
token64 := parts[2] token := parts[2]
token, err := base64.RawURLEncoding.DecodeString(token64)
if err != nil || 0 == len(token) {
http.Error(w, "invalid url path", http.StatusBadRequest)
return
}
// hash token to prevent fs read timing attacks
hash := sha1.Sum(append(token, salt...))
tokname := base64.RawURLEncoding.EncodeToString(hash[:])
tokfile := filepath.Join(tokPrefix, tokname+".tok.txt")
_, err = ioutil.ReadFile(tokfile)
if nil != err {
http.Error(w, "database connection failed when reading verification token", http.StatusInternalServerError)
return
}
// TODO promote JWK to public... and related to an ID or email?? if err := checkOTP(token); nil != err {
os.Remove(tokfile) http.Error(w, "Internal Server Error", http.StatusInternalServerError)
fmt.Fprintf(w, "%s", err)
return
}
fmt.Fprintf(w, `{ "success": true, "error": "" }%s`, "\n") fmt.Fprintf(w, `{ "success": true, "error": "" }%s`, "\n")
})) }))
@ -374,6 +420,77 @@ func Route(jwksPrefix string, privkey keypairs.PrivateKey) http.Handler {
return http.DefaultServeMux return http.DefaultServeMux
} }
var tokenPrefix string
func newOTP() (string, error) {
rnd, err := uuid.NewRandom()
if nil != err {
// nothing else to do if we run out of random
// or are on a platform that doesn't support random
panic(fmt.Errorf("random bytes read failure: %w", err))
}
token := base64.RawURLEncoding.EncodeToString(rnd[:])
// We hash the random value to prevent DB / FS / compare timing attacks
tokenID := sha1.Sum([]byte(token))
tokenName := base64.RawURLEncoding.EncodeToString(tokenID[:])
if err := ioutil.WriteFile(
filepath.Join(tokenPrefix, tokenName+".tok.txt"),
[]byte(`{"comment":"TODO: metadata goes here"}`),
// keep it secret, keep it safe
os.FileMode(0600),
); nil != err {
return "", errors.New("database connection failed when writing verification token")
}
return token, nil
}
func checkOTP(token string) error {
// We hash the random value to prevent DB / FS / compare timing attacks
tokenID := sha1.Sum([]byte(token))
tokenName := base64.RawURLEncoding.EncodeToString(tokenID[:])
tokfile := filepath.Join(tokenPrefix, tokenName+".tok.txt")
if _, err := ioutil.ReadFile(tokfile); nil != err {
return errors.New("database connection failed when reading verification token")
}
// TODO promote JWK to public... and related to an ID or email??
_ = os.Remove(tokfile)
return nil
}
func startVerification(baseURL, contact string) error {
email := strings.Replace(contact, "mailto:", "", -1)
if "" == email {
return errors.New("missing contact:[\"mailto:me@example.com\"]")
}
// TODO check DNS for MX records
if !strings.Contains(email, "@") || strings.Contains(email, " \t\n") {
return errors.New("invalid email address")
}
// TODO expect JWK in JWS/JWT
// TODO place validated JWK into file with token
token, err := newOTP()
if nil != err {
return err
}
subject := "Verify New Account"
// TODO go tpl
// TODO determine OS and Browser from user agent
text := fmt.Sprintf(
"It looks like you just tried to register a new Pocket ID account.\n\n Verify account: %s/verify/%s\n\nNot you? Just ignore this message.",
baseURL, token,
)
if _, err = SendSimpleMessage(email, defaultFrom, subject, text, defaultReplyTo); nil != err {
return err
}
return nil
}
func getBaseURL(r *http.Request) string { func getBaseURL(r *http.Request) string {
var scheme string var scheme string
if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") { if nil != r.TLS || "https" == r.Header.Get("X-Forwarded-Proto") {

19
vendor/git.rootprojects.org/root/hashcash/.gitignore generated vendored Normal file
View File

@ -0,0 +1,19 @@
cmd/hashcash/hashcash
# ---> Go
# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.dylib
# Test binary, built with `go test -c`
*.test
# Output of the go coverage tool, specifically when used with LiteIDE
*.out
# Dependency directories (remove the comment below to include it)
# vendor/

312
vendor/git.rootprojects.org/root/hashcash/LICENSE generated vendored Normal file
View File

@ -0,0 +1,312 @@
Mozilla Public License Version 2.0
1. Definitions
1.1. "Contributor" means each individual or legal entity that creates, contributes
to the creation of, or owns Covered Software.
1.2. "Contributor Version" means the combination of the Contributions of others
(if any) used by a Contributor and that particular Contributor's Contribution.
1.3. "Contribution" means Covered Software of a particular Contributor.
1.4. "Covered Software" means Source Code Form to which the initial Contributor
has attached the notice in Exhibit A, the Executable Form of such Source Code
Form, and Modifications of such Source Code Form, in each case including portions
thereof.
1.5. "Incompatible With Secondary Licenses" means
(a) that the initial Contributor has attached the notice described in Exhibit
B to the Covered Software; or
(b) that the Covered Software was made available under the terms of version
1.1 or earlier of the License, but not also under the terms of a Secondary
License.
1.6. "Executable Form" means any form of the work other than Source Code Form.
1.7. "Larger Work" means a work that combines Covered Software with other
material, in a separate file or files, that is not Covered Software.
1.8. "License" means this document.
1.9. "Licensable" means having the right to grant, to the maximum extent possible,
whether at the time of the initial grant or subsequently, any and all of the
rights conveyed by this License.
1.10. "Modifications" means any of the following:
(a) any file in Source Code Form that results from an addition to, deletion
from, or modification of the contents of Covered Software; or
(b) any new file in Source Code Form that contains any Covered Software.
1.11. "Patent Claims" of a Contributor means any patent claim(s), including
without limitation, method, process, and apparatus claims, in any patent Licensable
by such Contributor that would be infringed, but for the grant of the License,
by the making, using, selling, offering for sale, having made, import, or
transfer of either its Contributions or its Contributor Version.
1.12. "Secondary License" means either the GNU General Public License, Version
2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General
Public License, Version 3.0, or any later versions of those licenses.
1.13. "Source Code Form" means the form of the work preferred for making modifications.
1.14. "You" (or "Your") means an individual or a legal entity exercising rights
under this License. For legal entities, "You" includes any entity that controls,
is controlled by, or is under common control with You. For purposes of this
definition, "control" means (a) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or otherwise,
or (b) ownership of more than fifty percent (50%) of the outstanding shares
or beneficial ownership of such entity.
2. License Grants and Conditions
2.1. Grants
Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive
license:
(a) under intellectual property rights (other than patent or trademark) Licensable
by such Contributor to use, reproduce, make available, modify, display, perform,
distribute, and otherwise exploit its Contributions, either on an unmodified
basis, with Modifications, or as part of a Larger Work; and
(b) under Patent Claims of such Contributor to make, use, sell, offer for
sale, have made, import, and otherwise transfer either its Contributions or
its Contributor Version.
2.2. Effective Date
The licenses granted in Section 2.1 with respect to any Contribution become
effective for each Contribution on the date the Contributor first distributes
such Contribution.
2.3. Limitations on Grant Scope
The licenses granted in this Section 2 are the only rights granted under this
License. No additional rights or licenses will be implied from the distribution
or licensing of Covered Software under this License. Notwithstanding Section
2.1(b) above, no patent license is granted by a Contributor:
(a) for any code that a Contributor has removed from Covered Software; or
(b) for infringements caused by: (i) Your and any other third party's modifications
of Covered Software, or (ii) the combination of its Contributions with other
software (except as part of its Contributor Version); or
(c) under Patent Claims infringed by Covered Software in the absence of its
Contributions.
This License does not grant any rights in the trademarks, service marks, or
logos of any Contributor (except as may be necessary to comply with the notice
requirements in Section 3.4).
2.4. Subsequent Licenses
No Contributor makes additional grants as a result of Your choice to distribute
the Covered Software under a subsequent version of this License (see Section
10.2) or under the terms of a Secondary License (if permitted under the terms
of Section 3.3).
2.5. Representation
Each Contributor represents that the Contributor believes its Contributions
are its original creation(s) or it has sufficient rights to grant the rights
to its Contributions conveyed by this License.
2.6. Fair Use
This License is not intended to limit any rights You have under applicable
copyright doctrines of fair use, fair dealing, or other equivalents.
2.7. Conditions
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
Section 2.1.
3. Responsibilities
3.1. Distribution of Source Form
All distribution of Covered Software in Source Code Form, including any Modifications
that You create or to which You contribute, must be under the terms of this
License. You must inform recipients that the Source Code Form of the Covered
Software is governed by the terms of this License, and how they can obtain
a copy of this License. You may not attempt to alter or restrict the recipients'
rights in the Source Code Form.
3.2. Distribution of Executable Form
If You distribute Covered Software in Executable Form then:
(a) such Covered Software must also be made available in Source Code Form,
as described in Section 3.1, and You must inform recipients of the Executable
Form how they can obtain a copy of such Source Code Form by reasonable means
in a timely manner, at a charge no more than the cost of distribution to the
recipient; and
(b) You may distribute such Executable Form under the terms of this License,
or sublicense it under different terms, provided that the license for the
Executable Form does not attempt to limit or alter the recipients' rights
in the Source Code Form under this License.
3.3. Distribution of a Larger Work
You may create and distribute a Larger Work under terms of Your choice, provided
that You also comply with the requirements of this License for the Covered
Software. If the Larger Work is a combination of Covered Software with a work
governed by one or more Secondary Licenses, and the Covered Software is not
Incompatible With Secondary Licenses, this License permits You to additionally
distribute such Covered Software under the terms of such Secondary License(s),
so that the recipient of the Larger Work may, at their option, further distribute
the Covered Software under the terms of either this License or such Secondary
License(s).
3.4. Notices
You may not remove or alter the substance of any license notices (including
copyright notices, patent notices, disclaimers of warranty, or limitations
of liability) contained within the Source Code Form of the Covered Software,
except that You may alter any license notices to the extent required to remedy
known factual inaccuracies.
3.5. Application of Additional Terms
You may choose to offer, and to charge a fee for, warranty, support, indemnity
or liability obligations to one or more recipients of Covered Software. However,
You may do so only on Your own behalf, and not on behalf of any Contributor.
You must make it absolutely clear that any such warranty, support, indemnity,
or liability obligation is offered by You alone, and You hereby agree to indemnify
every Contributor for any liability incurred by such Contributor as a result
of warranty, support, indemnity or liability terms You offer. You may include
additional disclaimers of warranty and limitations of liability specific to
any jurisdiction.
4. Inability to Comply Due to Statute or Regulation
If it is impossible for You to comply with any of the terms of this License
with respect to some or all of the Covered Software due to statute, judicial
order, or regulation then You must: (a) comply with the terms of this License
to the maximum extent possible; and (b) describe the limitations and the code
they affect. Such description must be placed in a text file included with
all distributions of the Covered Software under this License. Except to the
extent prohibited by statute or regulation, such description must be sufficiently
detailed for a recipient of ordinary skill to be able to understand it.
5. Termination
5.1. The rights granted under this License will terminate automatically if
You fail to comply with any of its terms. However, if You become compliant,
then the rights granted under this License from a particular Contributor are
reinstated (a) provisionally, unless and until such Contributor explicitly
and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor
fails to notify You of the non-compliance by some reasonable means prior to
60 days after You have come back into compliance. Moreover, Your grants from
a particular Contributor are reinstated on an ongoing basis if such Contributor
notifies You of the non-compliance by some reasonable means, this is the first
time You have received notice of non-compliance with this License from such
Contributor, and You become compliant prior to 30 days after Your receipt
of the notice.
5.2. If You initiate litigation against any entity by asserting a patent infringement
claim (excluding declaratory judgment actions, counter-claims, and cross-claims)
alleging that a Contributor Version directly or indirectly infringes any patent,
then the rights granted to You by any and all Contributors for the Covered
Software under Section 2.1 of this License shall terminate.
5.3. In the event of termination under Sections 5.1 or 5.2 above, all end
user license agreements (excluding distributors and resellers) which have
been validly granted by You or Your distributors under this License prior
to termination shall survive termination.
6. Disclaimer of Warranty
Covered Software is provided under this License on an "as is" basis, without
warranty of any kind, either expressed, implied, or statutory, including,
without limitation, warranties that the Covered Software is free of defects,
merchantable, fit for a particular purpose or non-infringing. The entire risk
as to the quality and performance of the Covered Software is with You. Should
any Covered Software prove defective in any respect, You (not any Contributor)
assume the cost of any necessary servicing, repair, or correction. This disclaimer
of warranty constitutes an essential part of this License. No use of any Covered
Software is authorized under this License except under this disclaimer.
7. Limitation of Liability
Under no circumstances and under no legal theory, whether tort (including
negligence), contract, or otherwise, shall any Contributor, or anyone who
distributes Covered Software as permitted above, be liable to You for any
direct, indirect, special, incidental, or consequential damages of any character
including, without limitation, damages for lost profits, loss of goodwill,
work stoppage, computer failure or malfunction, or any and all other commercial
damages or losses, even if such party shall have been informed of the possibility
of such damages. This limitation of liability shall not apply to liability
for death or personal injury resulting from such party's negligence to the
extent applicable law prohibits such limitation. Some jurisdictions do not
allow the exclusion or limitation of incidental or consequential damages,
so this exclusion and limitation may not apply to You.
8. Litigation
Any litigation relating to this License may be brought only in the courts
of a jurisdiction where the defendant maintains its principal place of business
and such litigation shall be governed by laws of that jurisdiction, without
reference to its conflict-of-law provisions. Nothing in this Section shall
prevent a party's ability to bring cross-claims or counter-claims.
9. Miscellaneous
This License represents the complete agreement concerning the subject matter
hereof. If any provision of this License is held to be unenforceable, such
provision shall be reformed only to the extent necessary to make it enforceable.
Any law or regulation which provides that the language of a contract shall
be construed against the drafter shall not be used to construe this License
against a Contributor.
10. Versions of the License
10.1. New Versions
Mozilla Foundation is the license steward. Except as provided in Section 10.3,
no one other than the license steward has the right to modify or publish new
versions of this License. Each version will be given a distinguishing version
number.
10.2. Effect of New Versions
You may distribute the Covered Software under the terms of the version of
the License under which You originally received the Covered Software, or under
the terms of any subsequent version published by the license steward.
10.3. Modified Versions
If you create software not governed by this License, and you want to create
a new license for such software, you may create and use a modified version
of this License if you rename the license and remove any references to the
name of the license steward (except to note that such modified license differs
from this License).
10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
If You choose to distribute Source Code Form that is Incompatible With Secondary
Licenses under the terms of this version of the License, the notice described
in Exhibit B of this License must be attached. Exhibit A - Source Code Form
License Notice
This Source Code Form is subject to the terms of the Mozilla Public License,
v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain
one at http://mozilla.org/MPL/2.0/.
If it is not possible or desirable to put the notice in a particular file,
then You may include the notice in a location (such as a LICENSE file in a
relevant directory) where a recipient would be likely to look for such a notice.
You may add additional accurate notices of copyright ownership.
Exhibit B - "Incompatible With Secondary Licenses" Notice
This Source Code Form is "Incompatible With Secondary Licenses", as defined
by the Mozilla Public License, v. 2.0.

41
vendor/git.rootprojects.org/root/hashcash/README.md generated vendored Normal file
View File

@ -0,0 +1,41 @@
# hashcash
HTTP Hashcash implemented in Go.
Explanation at https://therootcompany.com/blog/http-hashcash/
Go docs at https://godoc.org/git.rootprojects.org/root/hashcash
# CLI Usage
Install:
```bash
go get git.rootprojects.org/root/hashcash/cmd/hashcash
```
Usage:
```txt
Usage:
hashcash new [subject *] [expires in 5m] [difficulty 10]
hashcash parse <hashcash>
hashcash solve <hashcash>
hashcash verify <hashcash> [subject *]
```
Example:
```bash
my_hc=$(hashcash new)
echo New: $my_hc
hashcash parse "$my_hc"
echo ""
my_hc=$(hashcash solve "$my_hc")
echo Solved: $my_hc
hashcash parse "$my_hc"
echo ""
hashcash verify "$my_hc"
```

3
vendor/git.rootprojects.org/root/hashcash/go.mod generated vendored Normal file
View File

@ -0,0 +1,3 @@
module git.rootprojects.org/root/hashcash
go 1.15

284
vendor/git.rootprojects.org/root/hashcash/hashcash.go generated vendored Normal file
View File

@ -0,0 +1,284 @@
package hashcash
import (
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"encoding/binary"
"errors"
"strconv"
"strings"
"time"
)
// ErrParse is returned when fewer than 6 or more than 7 segments are split
var ErrParse = errors.New("could not split the hashcash parts")
// ErrInvalidTag is returned when the Hashcash version is unsupported
var ErrInvalidTag = errors.New("expected tag to be 'H'")
// ErrInvalidDifficulty is returned when the difficulty is outside of the acceptable range
var ErrInvalidDifficulty = errors.New("the number of bits of difficulty is too low or too high")
// ErrInvalidDate is returned when the date cannot be parsed as a positive int64
var ErrInvalidDate = errors.New("invalid date")
// ErrExpired is returned when the current time is past that of ExpiresAt
var ErrExpired = errors.New("expired hashcash")
// ErrInvalidSubject is returned when the subject is invalid or does not match that passed to Verify()
var ErrInvalidSubject = errors.New("the subject is invalid or rejected")
// ErrInvalidNonce is returned when the nonce
//var ErrInvalidNonce = errors.New("the nonce has been used or is invalid")
// ErrUnsupportedAlgorithm is returned when the given algorithm is not supported
var ErrUnsupportedAlgorithm = errors.New("the given algorithm is invalid or not supported")
// ErrInvalidSolution is returned when the given hashcash is not properly solved
var ErrInvalidSolution = errors.New("the given solution is not valid")
// MaxDifficulty is the upper bound for all Solve() operations
var MaxDifficulty = 26
// Sep is the separator character to use
var Sep = ":"
// no milliseconds
//var isoTS = "2006-01-02T15:04:05Z"
// Hashcash represents a parsed Hashcash string
type Hashcash struct {
Tag string `json:"tag"` // Always "H" for "HTTP"
Difficulty int `json:"difficulty"` // Number of "partial pre-image" (zero) bits in the hashed code
ExpiresAt time.Time `json:"exp"` // The timestamp that the hashcash expires, as seconds since the Unix epoch
Subject string `json:"sub"` // Resource data string being transmitted, e.g., a domain or URL
Nonce string `json:"nonce"` // Unique string of random characters, encoded as url-safe base-64
Alg string `json:"alg"` // always SHA-256 for now
Solution string `json:"solution"` // Binary counter, encoded as url-safe base-64
}
// New returns a Hashcash with reasonable defaults
func New(h Hashcash) *Hashcash {
h.Tag = "H"
if 0 == h.Difficulty {
// safe for WebCrypto
h.Difficulty = 10
}
if h.ExpiresAt.IsZero() {
h.ExpiresAt = time.Now().Add(5 * time.Minute)
}
h.ExpiresAt = h.ExpiresAt.UTC().Truncate(time.Second)
if "" == h.Subject {
h.Subject = "*"
}
if "" == h.Nonce {
nonce := make([]byte, 16)
if _, err := rand.Read(nonce); nil != err {
panic(err)
return nil
}
h.Nonce = base64.RawURLEncoding.EncodeToString(nonce)
}
if "" == h.Alg {
h.Alg = "SHA-256"
}
/*
if "SHA-256" != h.Alg {
// TODO error
}
*/
return &h
}
// Parse will (obviously) parse the hashcash string, without verifying any
// of the parameters.
func Parse(hc string) (*Hashcash, error) {
parts := strings.Split(hc, Sep)
n := len(parts)
if n < 6 || n > 7 {
return nil, ErrParse
}
tag := parts[0]
if "H" != tag {
return nil, ErrInvalidTag
}
bits, err := strconv.Atoi(parts[1])
if nil != err || bits < 0 {
return nil, ErrInvalidDifficulty
}
// Allow empty ExpiresAt
var exp time.Time
if "" != parts[2] {
expAt, err := strconv.ParseInt(parts[2], 10, 64)
if nil != err || expAt < 0 {
return nil, ErrInvalidDate
}
exp = time.Unix(int64(expAt), 0).UTC()
}
/*
exp, err := time.ParseInLocation(isoTS, parts[2], time.UTC)
if nil != err {
return nil, ErrInvalidDate
}
*/
sub := parts[3]
nonce := parts[4]
alg := parts[5]
var solution string
if n > 6 {
solution = parts[6]
}
h := &Hashcash{
Tag: tag,
Difficulty: bits,
ExpiresAt: exp.UTC().Truncate(time.Second),
Subject: sub,
Nonce: nonce,
Alg: alg,
Solution: solution,
}
return h, nil
}
// String will return the formatted Hashcash, omitting the solution if it has not be solved.
func (h *Hashcash) String() string {
var solution string
if "" != h.Solution {
solution = Sep + h.Solution
}
var expAt string
if !h.ExpiresAt.IsZero() {
expAt = strconv.FormatInt(h.ExpiresAt.UTC().Truncate(time.Second).Unix(), 10)
}
return strings.Join(
[]string{
"H",
strconv.Itoa(h.Difficulty),
//h.ExpiresAt.UTC().Format(isoTS),
expAt,
h.Subject,
h.Nonce,
h.Alg,
},
Sep,
) + solution
}
// Verify the Hashcash based on Difficulty, Algorithm, ExpiresAt, Subject and,
// of course, the Solution and hash.
func (h *Hashcash) Verify(subject string) error {
if h.Difficulty < 0 {
return ErrInvalidDifficulty
}
if "SHA-256" != h.Alg {
return ErrUnsupportedAlgorithm
}
if !h.ExpiresAt.IsZero() && h.ExpiresAt.Sub(time.Now()) < 0 {
return ErrExpired
}
if subject != h.Subject {
return ErrInvalidSubject
}
bits := h.Difficulty
hash := sha256.Sum256([]byte(h.String()))
n := bits / 8 // 10 / 8 = 1
m := bits % 8 // 10 % 8 = 2
if m > 0 {
n++ // 10 bits = 2 bytes
}
if !verifyBits(hash[:n], bits, n) {
return ErrInvalidSolution
}
return nil
}
func verifyBits(hash []byte, bits, n int) bool {
for i := 0; i < n; i++ {
if bits > 8 {
bits -= 8
if 0 != hash[i] {
return false
}
continue
}
// (bits % 8) == bits
pad := 8 - bits
if 0 != hash[i]>>pad {
return false
}
return true
}
// 0 == bits
return true
}
// Solve will search for a solution, returning an error if the difficulty is
// above the local or global MaxDifficulty, the Algorithm is unsupported.
func (h *Hashcash) Solve(maxDifficulty int) error {
if "SHA-256" != h.Alg {
return ErrUnsupportedAlgorithm
}
if h.Difficulty < 0 {
return ErrInvalidDifficulty
}
if h.Difficulty > maxDifficulty || h.Difficulty > MaxDifficulty {
return ErrInvalidDifficulty
}
if "" != h.Solution {
if nil == h.Verify(h.Subject) {
return nil
}
h.Solution = ""
}
hashcash := h.String()
bits := h.Difficulty
n := bits / 8 // 10 / 8 = 1
m := bits % 8 // 10 % 8 = 2
if m > 0 {
n++ // 10 bits = 2 bytes
}
var solution uint32 = 0
sb := make([]byte, 4)
for {
// Note: it's not actually important what method of change or encoding is used
// but incrementing by 1 on an int32 is good enough, and makes for a small base64 encoding
binary.LittleEndian.PutUint32(sb, solution)
h.Solution = base64.RawURLEncoding.EncodeToString(sb)
hash := sha256.Sum256([]byte(hashcash + Sep + h.Solution))
if verifyBits(hash[:n], bits, n) {
return nil
}
solution++
}
}

2
vendor/modules.txt vendored
View File

@ -1,3 +1,5 @@
# git.rootprojects.org/root/hashcash v1.0.1
git.rootprojects.org/root/hashcash
# git.rootprojects.org/root/keypairs v0.5.2 # git.rootprojects.org/root/keypairs v0.5.2
git.rootprojects.org/root/keypairs git.rootprojects.org/root/keypairs
git.rootprojects.org/root/keypairs/keyfetch git.rootprojects.org/root/keypairs/keyfetch

46
xkeypairs/jose.go Normal file
View File

@ -0,0 +1,46 @@
package xkeypairs
import (
"encoding/base64"
"encoding/json"
"errors"
)
func (jws *JWS) DecodeComponents() error {
protected, err := base64.RawURLEncoding.DecodeString(jws.Protected)
if nil != err {
return errors.New("invalid JWS header base64Url encoding")
}
if err := json.Unmarshal([]byte(protected), &jws.Header); nil != err {
return errors.New("invalid JWS header")
}
payload, err := base64.RawURLEncoding.DecodeString(jws.Payload)
if nil != err {
return errors.New("invalid JWS payload base64Url encoding")
}
if err := json.Unmarshal([]byte(payload), &jws.Claims); nil != err {
return errors.New("invalid JWS claims")
}
return nil
}
/*
func Decode(msg string) (*JWS, error) {
jws := &JWS{}
decoder := json.NewDecoder(r.Body)
err := decoder.Decode(jws)
return jws, err
}
func Unmarshal(msg string) (*JWS, error) {
jws := &JWS{}
if err := json.Unmarshal([]byte(msg), jws); nil != err {
return nil, err
}
return jws, nil
}
*/