See Issue #63 for context.
Defensive protection for ClaimFormat.FINGERPRINT scenario #64
aspensmonster/doipjs:issue/63 into dev ClaimFormat.FINGERPRINT scenario
Issue #63
@yarmo please review!
https://community.keyoxide.org/d/250-keybase-claim-fails-even-though-fingerprint-matches
@ -64,6 +64,9 @@ export function generateClaim (fingerprint, format) {
}
return `openpgp4fpr:${fingerprint}`
case ClaimFormat.FINGERPRINT:
if (fingerprint.match(/^(openpgp4fpr|aspe):/)) {
Just a quick thing I am noticing: we should also strip the ASPE server domain out of this too. Given a URI aspe:keyoxide.org:5E3VMLXIKAN4H4RRZZC7TEXHNY, this function will return the string keyoxide.org:5E3VMLXIKAN4H4RRZZC7TEXHNY even though 5E3VMLXIKAN4H4RRZZC7TEXHNY is the correct fingerprint.
As per https://ariadne.id/related/ariadne-signature-profile-0/ section 2.2 (ASP fingerprint):
The fingerprint (or thumbprint) for an ASP follows the method defined in [RFC7638] for computing JWK thumbprints and is obtained as follows:
- construct a JSON object with the "crv", "kty", "x" and "y" (when present) properties in that specific order obtained from the signing key,
- stringify the JSON object,
- hash the string using SHA512,
- take the first 16 bytes of the resulting hash,
- encode them using BASE32 (no padding).
The resulting string is the fingerprint for the ASP and will be used as proof to verify the identity claims.
As the spec states, the correct "fingerprint" used for proof verification is the raw hashed version of the key, and doesn't include the ASPE server it is hosted on.
EDIT: I now realize that the current code only returns keyoxide.org rather than including the fingerprint at all, but the point still stands: the code currently doesn't work, and we need to strip everything until the last : as @vladimyr stated.
Just a quick thing I am noticing: we should also strip the ASPE server domain out of this too. Given a URI
aspe:keyoxide.org:5E3VMLXIKAN4H4RRZZC7TEXHNY, ...
FYI we had brief discussion on Matrix channel about aspe: URIs. I'm about to open an issue specifically for addressing that but the current consensus on the matter is that:
- in the future we are going to use URIs without authority section aka
aspe:5E3VMLXIKAN4H4RRZZC7TEXHNY - existing URIs are actually malformed and need to be rewritten into
aspe://keyoxide.org/5E3VMLXIKAN4H4RRZZC7TEXHNY
so please make sure to strip everything until last : or /!
Would be amazing to get this moving. I'm also affected. It's the single high-priority PR open. Let me know if you'd like me to make a new PR for this.
@aspensmonster please rebase this!
@aspensmonster Would you be willing to accept the little suggestion?
@ -65,2 +65,4 @@
return `openpgp4fpr:${fingerprint}`
case ClaimFormat.FINGERPRINT:
if (fingerprint.match(/^(openpgp4fpr|aspe):/)) {
return fingerprint.split(':')[1]
From what I gather this could be:
- return fingerprint.split(':')[1]
+ return fingerprint.split(':').at(-1)
🤦
My bad.
Let me open a PR.
Archived
Archived
No due date set.
No dependencies set.
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?