Signer-less Device Pairing #281
Conversation
nepet
force-pushed
the
202309-pairing-protocol
branch
from
41335cf
to
4050841
Compare
nepet
force-pushed
the
main-0.2
branch
2 times, most recently
from
92251ee
to
981db7e
Compare
nepet
force-pushed
the
main-0.2
branch
2 times, most recently
from
8b5a797
to
40c5809
Compare
nepet
force-pushed
the
202309-pairing-protocol
branch
from
4050841
to
8fb8916
Compare
nepet
force-pushed
the
202309-pairing-protocol
branch
from
8fb8916
to
5c485cd
Compare
nepet
force-pushed
the
main-0.2
branch
2 times, most recently
from
ad9d0b4
to
180bb26
Compare
nepet
force-pushed
the
202309-pairing-protocol
branch
2 times, most recently
from
e0db8e2
to
157a322
Compare
nepet
force-pushed
the
202309-pairing-protocol
branch
from
157a322
to
ed1aed8
Compare
nepet
force-pushed
the
202309-pairing-protocol
branch
from
3194f42
to
2d46078
Compare
nepet
force-pushed
the
202309-pairing-protocol
branch
from
2d46078
to
9cec7a5
Compare
nepet
force-pushed
the
202309-pairing-protocol
branch
from
9cec7a5
to
06d40ab
Compare
nepet
force-pushed
the
202309-pairing-protocol
branch
from
06d40ab
to
6265146
Compare
nepet
force-pushed
the
main-0.2
branch
3 times, most recently
from
644185e
to
d010f8d
Compare
nepet
force-pushed
the
main-0.2
branch
5 times, most recently
from
f2b305e
to
f504032
Compare
nepet
force-pushed
the
202309-pairing-protocol
branch
3 times, most recently
from
d0f25a9
to
53d054e
Compare
There was a problem hiding this comment.
Is this an old iteration of attestation_device.rs?
|
|
||
| pub struct Client<T> { | ||
| inner: T, | ||
| tls: TlsConfig, |
There was a problem hiding this comment.
Any strong objections to replacing tls, rune, and key with creds?
It would make the definition of the Client smaller and allows us to skip passing the node_id to approve_pairing
| session_id: &str, | ||
| node_id: &[u8], | ||
| device_name: &str, | ||
| restrs: &str, |
There was a problem hiding this comment.
Can the restrictions argument here be dropped?
If we allow the attestation device to put whatever restrictions they want, the application requesting the pairing may too little access to fulfill their use-case. Can we make it like android permissions where the base permissions are all or nothing? A gl-client consumer can show the user the restrictions put on the app with the pairing request when they receive it in get_pairing_data. Then the pairing can be completed from the restrictions from the original pairing request on the server-side.
Also, what do you think about letting the attestation device reject the pairing request? I'm thinking it might be helpful for the requesting application on the UX side if the user doesn't like the proposed restrictions
Edit: Removed the part about completing the pairing using restrictions saved by the server. As discussed, there would be no way for the server to tack-on restrictions to the message sent to the signer_requests_stream connection since it expects the client's tls keypair to cover the data. And because requiring a signature (from the requester of the new_device) for verification in the attestation device's signer is probably not a good idea.
| &self, | ||
| session_id: &str, | ||
| node_id: &[u8], | ||
| device_name: &str, |
There was a problem hiding this comment.
Can we make the device_name optional?
| ) -> () { | ||
| let mut data = vec![]; | ||
| data.put(req.session_id.as_bytes()); | ||
| data.put_u64(req.timestamp); |
There was a problem hiding this comment.
Should the timestamp be checked in this method to bound its staleness like what was mentioned in the comment here?:
| let mut data = vec![]; | ||
| data.put(req.session_id.as_bytes()); | ||
| data.put_u64(req.timestamp); | ||
| data.put(&req.node_id[..]); |
There was a problem hiding this comment.
Could we pull the node_id from self here?
| impl Client<Unconnected> { | ||
| pub fn new<T>(creds: T) -> Client<Unconnected> | ||
| where | ||
| T: TlsConfigProvider, |
There was a problem hiding this comment.
Should we return an error if device_creds are passed in? Or are we allowing a pairing to be scoped to a greenlight node?
nepet
force-pushed
the
202309-pairing-protocol
branch
from
53d054e
to
dd15fc9
Compare
nepet
force-pushed
the
202309-pairing-protocol
branch
3 times, most recently
from
eefc7d3
to
5021f5b
Compare
We need to create a keypair before we can actually create the cert during the pairing process. Signed-off-by: Peter Neuroth <pet.v.ne@gmail.com>
This commit only affects the protos, generated files and places that include the protos. Signed-off-by: Peter Neuroth <pet.v.ne@gmail.com>
This implements the service and the methods to initialize a pairing session on the "new device" Signed-off-by: Peter Neuroth <pet.v.ne@gmail.com>
Adds the PairingQR proto message and pass it to the channel once we did the request. Signed-off-by: Peter Neuroth <pet.v.ne@gmail.com>
Adds a method that returns the relevant data for "old device" to approve a pairing. This includes the requested restrictions that an old device needs to sign off. Signed-off-by: Peter Neuroth <pet.v.ne@gmail.com>
Adds the approval of the old device. This does not check the signature and does also not check the restrictions. This soley approves the pairing request. This needs a tls cert and a rune to be present as we need these to sign and attestate the approval. Signed-off-by: Peter Neuroth <pet.v.ne@gmail.com>
This adds a method to the pairing service that allows to check the validity of the PairingDataResponse. This is that the public key from the session_id matches the public key from the CSR. We may want to add a signature for the restrictions to ensure that GL did not manipulate them. We are OK for now as a user has to aggree to the restrictions anyway. Signed-off-by: Peter Neuroth <pet.v.ne@gmail.com>
This is preperatory to set up the scheduler -> signer stream. Signed-off-by: Peter Neuroth <pet.v.ne@gmail.com>
Signer now receives requests from the scheduler for further processing. The signer processes a ApprovePairingRequest and responds to the scheduler. Signed-off-by: Peter Neuroth <pet.v.ne@gmail.com>
This commit replaces TlsConfig dependencies introduced by the signerless device pairing with Credentials. Signed-off-by: Peter Neuroth <pet.v.ne@gmail.com>
nepet
force-pushed
the
202309-pairing-protocol
branch
from
5021f5b
to
613af99
Compare
| uint64 timestamp = 2; | ||
|
|
||
| // The id of the node to pair with. | ||
| bytes node_id = 3; |
There was a problem hiding this comment.
Can we remove this since it looks like it's pulled from the cert on the server side?
| match self.verify_rune(PendingRequest { | ||
| request: vec![], | ||
| uri: "/cln.Node/ApprovePairing".to_string(), | ||
| signature: req.sig, |
There was a problem hiding this comment.
Does the Context need to be updated to handle the signature?
greenlight/libs/gl-client/src/runes.rs
Line 159 in e38a376
This PR adds the "Pairing Process/Protocol" to the client stack. The Pairing-Process is a way to connect a signer-less client to a greenlight node. The pairing request has to be approved by a trusted device.
I'll add a more details about the process soon.