webauthn signatures

[imalsogreg]

This PR adds WebAuthn as a PPKScheme, allowing WebAuthn signatures to be used for user authentication in pact commands.

It also removes some things that were hard to maintain alongside WebAuthn:

• Associated types for pub/private key and signature in the Scheme class are removed.
• SomeKeyPair is removed.
• All methods in the Scheme class except _valid are removed.
• The ETH scheme and all its support code were removed.

Removing those things has several consequences:

• Callsites of the removed Scheme class switch to monomorphic versions, assuming ED25519
• The format-address repl builtin is removed (it relied on a deleted Scheme method)

The removed methods in Scheme are primarily used in client code, for instance when Pact generates a .yaml command file, or when we generate keys in tests. This helps justify the simplification of Scheme, since we're primarily impacting client code. The server-oriented code paths are relatively unchanged.

Implementation

A signature is valid as a WebAuthn signature if

• it is formatted as a JSON object with a few required fields: clientDataJSON, authenticatorData, and signature
• These pieces can combine according the the WebAuthn spec to produce a signature valid for the public key, and
• The PactHash embedded in the clientDataJSON (where it is named "challenge") is the same as the PactHash of the Command.

Clients may issue transactions with webauthn signatures by stringifying a JSON blob according to the spec. An example of such a blob is included in the unit tests.

base64-bytestring upgrade

The webauthn library requires base64-bytestring > 1.0, and pact requires base64-bytestring < 1.0, so this PR also bumps the base64-bytestring library in pact (which will require a bump in chainweb-node, too).

Bumping base64-bytestring is difficult because the new version produces different error messages than the old version (and in some cases, the new version rejects base64-encoded messages that were accepted by old versions). These error messages end up on chain, so to get hash compatibility for historical blocks, we must emulate the old base64-bytestring's behavior. We encountered this issue only in the decodeBase64 native and the str-to-int native, so the behavior-shimming code is colocated with the native definitions (in Native.hs).

[emilypi]

weird indentations here and below on some things

[imalsogreg]

Better now?

[rsoeldner]

This is not aligned with line 1349:

...
Left e -> evalError' si (pretty e)

[imalsogreg]

Oh, you mean 1349 calls pretty on a String while 1422 calls pretty on a Text? That does seem like a discrepancy. I'll change both to call pretty on a Text, and recheck replay. Good catch!

[rsoeldner]

Maybe

Suggested change

	WebAuthnSignature
	{ authenticatorData
	, signature
	, clientDataJSON } <- A.eitherDecode (BSL.fromStrict sigBS)
	WebAuthnSignature{..} <- A.eitherDecode (BSL.fromStrict sigBS)

using {-# LANGUAGE RecordWildCards #-}

[imalsogreg]

I like NamedFieldPuns because it makes the identifiers being brought into scope explicit. Meaning: if someone reading the code didn't know what authenticationData is, or where it comes from, NamedFieldPuns makes it greppable, while RecordWildCards doesn't.

[emilypi]

Alternatively, construct/destruct the thing directly since we're not even really punning as much as we are constructing directly.

[imalsogreg]

I like NamedFieldPuns even for vanilla record desructuring too, since it removes the possibility of accidentally naming fields out of order. Meaning, I could write:

  WebAuthnSignature sig authData clientData <- decode sigBS
    -- (Is this what you mean by destruct the thing directly?)
  ...

and it would typecheck but be subtly wrong, because I accidentally swapped the field names around for fields that have the same type.

[jwiegley]

What does dropping this have to do with WebAuthn signatures?

[imalsogreg]

Dropping it was required after removing a method from the Scheme typeclass that format-address required.

We have to remove some methods and associated types from Scheme to accommodate webauthn. It's believed be to be unused or only used very rarely.

[jwiegley]

Are we dropping this module because the WebAuthn support supercedes the functionality?

[imalsogreg]

While we were modifying the Scheme typeclass to support webauthn, another instance of that typeclass, the ETH scheme (and the Pact.Types.ECDSA module that supported it) came up as a place to eliminate some effectively-dead code.

[jwiegley]

If we start integrating more with other changes, would we still want to monomorphize the signature scheme?

[imalsogreg]

There are some integrations we could make that would introduce new PPK schemes. Depending on the details of how those integrations work, they might not see the changes here in Pact.ApiReq, since Pact.ApiReq is only used client-side, e.g. by users signing requests and making API calls to a pact server. A rule of thumb I used in this PR was to be more cautious changing server-side code, but more liberal with client-side code as needed).

A new integration that merely needs signature verification in pact will not be bothered by the monomorphization happening in client code here. But an integration that also wanted client-side support would indeed be less convenient to write, after we remove SomeKeyPair.

[jwiegley]

This doesn't conflict with the import of first from Control.Arrow just above?

[imalsogreg]

import Control.Arrow hiding (app, first)
Added it to the hiding so I could have my bifunctor first.

[jwiegley]

I feel like there are really 4 PRs hiding in this one:

1. Monomorphizing the signature scheme
2. Dropping the ETH PPKScheme
3. Dropping format-address
4. Adding the WebAuthn PPKScheme

I want to hear from @larskuhtz whether we'd like to keep the ETH scheme, if we're going to be doing bridging with Ethereum...

[imalsogreg]

Just 4? Don't forget bumping base64-bytestring! :) That's got to count as 3 all on its own.

[jwiegley]

This is looking good, just a few comments made!

[sirlensalot]

Great work! Main note is we should reconsider removing ETH, see comment in Pact.Types.Crypto.

EDIT scratch that, Eth ECDSA support for Pact payloads is a dead letter. ECDSA support in the context of ethereum compatibility (Solidity ABI, or EVM support) uses a different payload.

[edmundnoble]

I'm a bit worried by the amount of aeson instances here being used to decode things that are on-chain, but I don't suggest changing this at this point.

[edmundnoble]

Should we restrict the algorithm here to just a few to avoid algorithm confusion attacks? I think @EnoF wanted the algorithm "ES256", which has COSE identifier -7. https://portswigger.net/web-security/jwt/algorithm-confusion

[imalsogreg]

I've added some code that restricts to -7 or -8. (ECDSA SHA-256, and EdDSA respectively).

I informally tested the restriction by setting the requirement to -1 or -8 temporarily and observing that the happy path signature failed.

I'll hopefully be able to generate a test case that we can check in to the repo soon. But it requires spinning up a server that. implements webauthn to create new sample keys with a different signing algorithm.

[edmundnoble]

If we do restrict the signing algorithm we should have a test for it