PASETO authenticator and identifier

[cnizzardini]

This is a rough draft implementation of PASETO (Platform Agnostic Security Tokens). This supports local symmetric keys and public asymmetric keys, but does not yet have support for keyrings and PASERK which gives functionality similar to JWKS. If there is interest in this I can add support for those items as well as unit tests and docs.

Usage:

Usage is fairly similar to the JWT Authenticator with the addition of a few keys:

        $service->loadIdentifier('Authentication.PasetoSubject');
        $service->loadAuthenticator('Authentication.Paseto', [
            'purpose' => PasetoAuthenticator::LOCAL, // or PasetoAuthenticator::PUBLIC
        ]);

There is also a version which takes an implementation of ProtocolInterface but defaults to the latest version in paseto (currently v4).

Using the public option is a little PITA to generate keys and I'd like to get a shell command added to the main paseto lib to easily generate the public/private key pairs.

Building a local token:

        /** @var ResultInterface $result **/
        $key = SymmetricKey::v4(Security::getSalt());

        $token = (new Builder())
            ->setKey($key)
            ->setSubject($result->getData()->get('id'))
            ->setVersion(new Version4)
            ->setPurpose(Purpose::local())
            // Set it to expire in one day
            ->setIssuedAt()
            ->setNotBefore()
            ->setExpiration(
                (new DateTime())->add(new DateInterval('P01D'))
            )
            // Store arbitrary data
            ->setClaims([
                'claim_data' => 'is encrypted',
            ])
            ->setFooterArray([
                'footer_data' => 'is unencrypted but tamper proof'
            ]);

Reference:

• https://github.com/paragonie/paseto
• https://github.com/paseto-standard/paseto-spec

[markstory]

You'll likely need 3.0.0 here.

[markstory]

Will the application salt always be long enough? Are there length requirements in paseto?

[cnizzardini]

For Symmetric keys between 16 and 64 bytes. sodium_crypto_generichash will throw a SodiumException: unsupported key length exception otherwise, unfortunately this is not well documented here: sodium_crypto_generichash. We could add a validation for this in the authenticator.

For Asymmetric keys it is recommended to use sodium_crypto_sign_keypair to generate the key pairs:

$privateKey = new AsymmetricSecretKey(sodium_crypto_sign_keypair());
$publicKey = $privateKey->getPublicKey();
var_dump($privateKey->encode());
var_dump($publicKey->encode());

This is where I wish the library provided a cli to easily generate those for developers.

[markstory]

This is where I wish the library provided a cli to easily generate those for developers.

We could provide that CLI tool 😄

[markstory]

For Symmetric keys between 16 and 64 bytes. sodium_crypto_generichash will throw a SodiumException: unsupported key length exception otherwise, unfortunately this is not well documented here

That will work. If users get tripped up by the exceptions from libsodium we can always catch errors and rethrow with a better message.

[markstory]

What is the footer used for by application logic?

[cnizzardini]

A token is split into version, purpose, encrypted data, and unencrypted data with dots as the separator.

v4.local.KQVqiaVJbg_V0W9s-ekQMYyjA5sZCSMUFw6WxLJ_6806uE7ceNad9ABgGwgJ_HDN8zLDC_SF9hzFoESX8lt-v_o1LjsahdoOETFlp884ztE-vz5MZq6CfvaVhH4cjT8Wi6p43H95jegzM3BhbjrJpAiUOWISPxbR5Da90WSkCUVSQfMjCzSrTjEQRdTlbBNpjzEOen6f8Vaw-Wl2eqtmzgVDZ5LDcyR9fatO_p_IhH8cFwLXILoORpjFBgeCDXZqr9jaum6zEvAs3XSfWB86RLUM_QD-elM_2DkaCwqS_1btNYKpahRkLpr6ehM8dSKL.eyJmb290ZXJfZGF0YSI6ImlzIHVuZW5jcnlwdGVkIGJ1dCB0YW1wZXIgcHJvb2YifQ

So you can base64 decode the footer segment: eyJmb290ZXJfZGF0YSI6ImlzIHVuZW5jcnlwdGVkIGJ1dCB0YW1wZXIgcHJvb2YifQ to:

{"footer_data":"is unencrypted but tamper proof"}

I assume to give API clients or any client that doesn't have the secret the ability to read non-sensitive data.

[cnizzardini]

I'm thinking for this we will just remove subjectKey and always use sub.

[cnizzardini]

Thinking of hardcoding dataField to "sub"

[cnizzardini]

Don't know how to test this, thinking this should be marked as code coverage ignore.

[cnizzardini]

Not sure I understand this condition, it was borrowed from JwtAuthenticator. How is this scenario possible?

[markstory]

The behavior looks like it wants to reuse the stored payload property. By passing null in, you get the last parsed result.

[cnizzardini]

This was required because of prefer-lowest on 7.2. The method needed from the package was not included until 2.2 (current is 2.5).

[othercorey]

@cnizzardini After fixing the phpstan error, can you squash the commits?

[markstory]

Are there no reasonably secure defaults we could use? Even 'most secure' is a reasonable defaults. Right now we're forcing a lot of decisions on the developer.

[cnizzardini]

We can default to local and v4.

[markstory]

The behavior looks like it wants to reuse the stored payload property. By passing null in, you get the last parsed result.

[markstory]

This seems like a reasonable default purpose to me.

[cnizzardini]

I was thinking LOCAL should be the default purpose. Local is similar to the default for JWT which uses an HMAC secret.

[markstory]

Defaulting to the highest version seems like a good default value as well.

[markstory]

Would be good to have a default value on these too. Good defaults help users succeed with less effort.

[cnizzardini]

We can set defaults to v4 local here as well.

[markstory]

This feels risky to me. Having a method arbitrarily update local scope has not worked out well for us in the past. Can we be more explicit with what is being set in local scope here.

[markstory]

Does this need to use a mock? There is a lot of code being dedicated to mocking to avoid creating a value we could generate with fewer lines of code.

Could we try having a helper method that generates a key pair and creates an authenticator using that key pair. You would also need a method that generates a token for a given input.

This is a bit of plumbing work to do but in the long term it helps with maintenance as we don't have to worry about changes in a mocking library. Additionally it also gives us more confidence in the tests as we are testing more of the subsytem all together.

[othercorey]

@cnizzardini Can you follow up on this?

[cnizzardini]

Its on my mind, some personal items getting in the way of freetime dev right now. Gimme a few days.

…

On Tue, Jun 21, 2022 at 3:24 PM othercorey ***@***.***> wrote: @cnizzardini <https://github.com/cnizzardini> Can you follow up on this? — Reply to this email directly, view it on GitHub <#538 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABJ2HTI5QLF42KM6QV7XJTVQIJFLANCNFSM5XFS2CZA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[othercorey]

@markstory can you take another look?

[ADmad]

Suggested change

	* @since 3.0.0
	* @since 2.10.0

[ADmad]

Suggested change

	'purpose' => 'local',
	'purpose' => self::LOCAL,

[ADmad]

Suggested change

	private $version;
	protected $version;

[ADmad]

The whichVersion() method itself can throw an exception instead of returning null.

[github-actions]

This pull request is stale because it has been open 30 days with no activity. Remove the stale label or comment on this issue, or it will be closed in 15 days