dendrite icon indicating copy to clipboard operation
dendrite copied to clipboard
verified publisher icon matrix-org

MSC2787: add digital signature challenge response authentication mechanism

Open fabius opened this issue 3 years ago • 0 comments

Using asymmetric key-pairs, a user should be able to login via a cryptographic challenge response authentication mechanism as stated in MSC2787. This PR implements a digital signature based CRAM using ed25519 key pairs.

Because this is a proposed feature, this probably should not be merged into master. I just have not found an appropriate branch for this.

Reproducing the workflow:

# get dendrite up and running
git clone --branch MSC2787-CRAM https://github.com/fabius/dendrite.git
cd dendrite
./build.sh
./bin/generate-keys --private-key matrix_key.pem && ./bin/generate-keys --tls-cert server.crt --tls-key server.key
cp dendrite-config.yaml dendrite.yaml
./bin/dendrite-monolith-server --tls-cert server.crt --tls-key server.key --config dendrite.yaml

# in a new shell, create an account on your local dendrite instance
go run cmd/create-account/main.go --config dendrite.yaml -username alice -password secret -create-keypair

# send an empty POST request to receive the challenge to solve
curl -k -XPOST "https://localhost:8448/_matrix/client/r0/login" -d '{"identifier":{"type":"m.id.user","user":"alice”}, 
"type": "m.login.challenge_response"}'
# should respond something like: {“completed":[],"flows":[{"stages":["m.login.password"]},{"stages":["m.login.challenge_response"]}],"session":"dBt9OfJ6xqzM00JSoENccKpKlu3ukxUWDxWtzDLyKW8","params":{"challenge":"1639588278dBt9OfJ6xqzM00JSoENccKpKlu3ukxUWDxWtzDLyKW8"}}

# sign the challenge string
go run cmd/sign-challenge/main.go -input <the "challenge" you just got> -private-key private.key.seed

# provide the signature using the new CRAM login
curl -k -XPOST "https://localhost:8448/_matrix/client/r0/login" -d '{"auth": {"signature":"<your signature>","type": "m.login.challenge_response","session":"<the session you previously received>","identifier":{"type":"m.id.user","user":"alice"}}, "type": "m.login.challenge_response"}'

Pull Request Checklist

  • [x ] I have added any new tests that need to pass to sytest-whitelist as specified in docs/sytest.md
  • [x ] Pull request includes a sign off

Signed-off-by: Fabian Deifuß <[email protected]>

fabius avatar Jan 03 '22 22:01 fabius