stellar · leighmcculloch · Dec 20, 2019 · Dec 10, 2019 · Dec 18, 2019 · Dec 18, 2019
diff --git a/exp/services/webauth/README.md b/exp/services/webauth/README.md
@@ -0,0 +1,44 @@
+# webauth
+
+This is a SEP-10 Web Authentication implementation based on SEP-10 v1.2.0.
+
+This implementation is not polished and is still experimental. Running this implementation in production is not recommended.
+
+## Usage
+
+````
+$ webauth --help
+SEP-10 Web Authentication Server
+
+Usage:
+  webauth [command] [flags]
+  webauth [command]
+
+Available Commands:
+  genjwtkey   Generate a JWT ECDSA key
+  serve       Run the SEP-10 Web Authentication server
+
+Flags:
+  -h, --help   help for webauth
+
+Use "webauth [command] --help" for more information about a command.
+```
+
+## Usage: Serve
+
+```
+$ webauth serve --help
+Run the SEP-10 Web Authentication server
+
+Usage:
+  webauth serve [flags]
+
+Flags:
+      --challenge-expires-in int    The time period after which the challenge transaction expires (default 300000000000)
+      --horizon-url string          Horizon URL used for looking up account details (default "https://horizon-testnet.stellar.org/")
+      --jwt-expires-in int          The time period that after which the JWT expires (default 18000000000000)
+      --jwt-key string              Base64 encoded ECDSA private key used for signing JWTs
+      --network-passphrase string   Network passphrase of the Stellar network transactions should be signed for (default "Test SDF Network ; September 2015")
+      --port int                    Port to listen and serve on (default 8000)
+      --signing-key string          Stellar signing key used for signing transactions
+```
diff --git a/exp/services/webauth/internal/commands/genjwtkey.go b/exp/services/webauth/internal/commands/genjwtkey.go
@@ -0,0 +1,41 @@
+package commands
+
+import (
+	"github.com/spf13/cobra"
+	"github.com/stellar/go/exp/services/webauth/internal/jwtkey"
+	supportlog "github.com/stellar/go/support/log"
+)
+
+type GenJWTKeyCommand struct {
+	Logger *supportlog.Entry
+}
+
+func (c *GenJWTKeyCommand) Command() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "genjwtkey",
+		Short: "Generate a JWT ECDSA key",
+		Run: func(_ *cobra.Command, _ []string) {
+			c.Run()
+		},
+	}
+	return cmd
+}
+
+func (c *GenJWTKeyCommand) Run() {
+	k, err := jwtkey.GenerateKey()
+	if err != nil {
+		c.Logger.Fatal(err)
+	}
+
+	if public, err := jwtkey.PublicKeyToString(&k.PublicKey); err == nil {
+		c.Logger.Print("Public:", public)
+	} else {
+		c.Logger.Print("Public:", err)
+	}
+
+	if private, err := jwtkey.PrivateKeyToString(k); err == nil {
+		c.Logger.Print("Private:", private)
+	} else {
+		c.Logger.Print("Private:", err)
+	}
+}
diff --git a/exp/services/webauth/internal/commands/serve.go b/exp/services/webauth/internal/commands/serve.go
@@ -0,0 +1,96 @@
+package commands
+
+import (
+	"go/types"
+	"time"
+
+	"github.com/spf13/cobra"
+	"github.com/stellar/go/clients/horizonclient"
+	"github.com/stellar/go/exp/services/webauth/internal/serve"
+	"github.com/stellar/go/network"
+	"github.com/stellar/go/support/config"
+	supportlog "github.com/stellar/go/support/log"
+)
+
+type ServeCommand struct {
+	Logger *supportlog.Entry
+}
+
+func (c *ServeCommand) Command() *cobra.Command {
+	opts := serve.Options{
+		Logger: c.Logger,
+	}
+	configOpts := config.ConfigOptions{
+		{
+			Name:        "port",
+			Usage:       "Port to listen and serve on",
+			OptType:     types.Int,
+			ConfigKey:   &opts.Port,
+			FlagDefault: 8000,
+			Required:    true,
+		},
+		{
+			Name:        "horizon-url",
+			Usage:       "Horizon URL used for looking up account details",
+			OptType:     types.String,
+			ConfigKey:   &opts.HorizonURL,
+			FlagDefault: horizonclient.DefaultTestNetClient.HorizonURL,
+			Required:    true,
+		},
+		{
+			Name:        "network-passphrase",
+			Usage:       "Network passphrase of the Stellar network transactions should be signed for",
+			OptType:     types.String,
+			ConfigKey:   &opts.NetworkPassphrase,
+			FlagDefault: network.TestNetworkPassphrase,
+			Required:    true,
+		},
+		{
+			Name:      "signing-key",
+			Usage:     "Stellar signing key used for signing transactions",
+			OptType:   types.String,
+			ConfigKey: &opts.SigningKey,
+			Required:  true,
+		},
+		{
+			Name:           "challenge-expires-in",
+			Usage:          "The time period after which the challenge transaction expires",
+			OptType:        types.Int,
+			CustomSetValue: config.SetDuration,
+			ConfigKey:      &opts.ChallengeExpiresIn,
+			FlagDefault:    int(300 * time.Second),
+			Required:       true,
+		},
+		{
+			Name:      "jwt-key",
+			Usage:     "Base64 encoded ECDSA private key used for signing JWTs",
+			OptType:   types.String,
+			ConfigKey: &opts.JWTPrivateKey,
+			Required:  true,
+		},
+		{
+			Name:           "jwt-expires-in",
+			Usage:          "The time period that after which the JWT expires",
+			OptType:        types.Int,
+			CustomSetValue: config.SetDuration,
+			ConfigKey:      &opts.JWTExpiresIn,
+			FlagDefault:    int(300 * time.Minute),
+			Required:       true,
+		},
+	}
+	cmd := &cobra.Command{
+		Use:   "serve",
+		Short: "Run the SEP-10 Web Authentication server",
+		Run: func(_ *cobra.Command, _ []string) {
+			configOpts.Require()
+			configOpts.SetValues()
+			c.Run(opts)
+		},
+	}
+	configOpts.Init(cmd)
+	return cmd
+}
+
+func (c *ServeCommand) Run(opts serve.Options) {
+	serve.Main(opts)
+}
diff --git a/exp/services/webauth/internal/jwtkey/jwtkey.go b/exp/services/webauth/internal/jwtkey/jwtkey.go
@@ -0,0 +1,80 @@
+// Package jwtkey provides utility functions for generating, serializing and
+// deserializing JWT ECDSA keys.
+//
+// TODO: Replace EC function usages with PKCS8 functions for supporting ECDSA
+// and RSA keys instead of only supporting ECDSA. The fact this package only
+// supports ECDSA is unnecessary.
+package jwtkey
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/base64"
+
+	"github.com/stellar/go/support/errors"
+)
+
+// GenerateKey is a convenience function for generating an ECDSA key for use as
+// a JWT key. It uses the P256 curve. To use other curves use the crypto/ecdsa
+// package directly.
+func GenerateKey() (*ecdsa.PrivateKey, error) {
+	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+	return k, nil
+}
+
+// PrivateKeyToString converts a ECDSA private key into a ASN.1 DER and base64
+// encoded string.
+func PrivateKeyToString(k *ecdsa.PrivateKey) (string, error) {
+	b, err := x509.MarshalECPrivateKey(k)
+	if err != nil {
+		return "", errors.Wrap(err, "marshaling ECDSA private key")
+	}
+	return base64.StdEncoding.EncodeToString(b), nil
+}
+
+// PublicKeyToString converts a ECDSA public key into a ASN.1 DER and base64
+// encoded string.
+func PublicKeyToString(k *ecdsa.PublicKey) (string, error) {
+	b, err := x509.MarshalPKIXPublicKey(k)
+	if err != nil {
+		return "", errors.Wrap(err, "marshaling ECDSA public key")
+	}
+	return base64.StdEncoding.EncodeToString(b), nil
+}
+
+// PrivateKeyFromString converts a ECDSA private key from a ASN.1 DER and
+// base64 encoded string into a type.
+func PrivateKeyFromString(s string) (*ecdsa.PrivateKey, error) {
+	keyBytes, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		return nil, errors.Wrap(err, "base64 decoding ECDSA private key")
+	}
+	key, err := x509.ParseECPrivateKey(keyBytes)
+	if err != nil {
+		return nil, errors.Wrap(err, "unmarshaling ECDSA private key")
+	}
+	return key, nil
+}
+
+// PublicKeyFromString converts a ECDSA public key from a ASN.1 DER and base64
+// encoded string into a type.
+func PublicKeyFromString(s string) (*ecdsa.PublicKey, error) {
+	keyBytes, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		return nil, errors.Wrap(err, "base64 decoding ECDSA public key")
+	}
+	keyI, err := x509.ParsePKIXPublicKey(keyBytes)
+	if err != nil {
+		return nil, errors.Wrap(err, "unmarshaling ECDSA public key")
+	}
+	key, ok := keyI.(*ecdsa.PublicKey)
+	if !ok {
+		return nil, errors.Wrap(err, "public key not ECDSA key")
+	}
+	return key, nil
+}
diff --git a/exp/services/webauth/internal/jwtkey/jwtkey_test.go b/exp/services/webauth/internal/jwtkey/jwtkey_test.go
@@ -0,0 +1,66 @@
+package jwtkey
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"encoding/base64"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGenerate(t *testing.T) {
+	key, err := GenerateKey()
+	require.NoError(t, err)
+	assert.Equal(t, elliptic.P256(), key.Curve)
+}
+
+func TestToFromStringRoundTrip(t *testing.T) {
+	testCases := []struct {
+		Name  string
+		Curve elliptic.Curve
+	}{
+		{Name: "P224", Curve: elliptic.P224()},
+		{Name: "P256", Curve: elliptic.P256()},
+		{Name: "P384", Curve: elliptic.P384()},
+		{Name: "P521", Curve: elliptic.P521()},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			privateKey, err := ecdsa.GenerateKey(tc.Curve, rand.Reader)
+			require.NoError(t, err)
+
+			t.Run("private", func(t *testing.T) {
+				privateKeyStr, err := PrivateKeyToString(privateKey)
+				require.NoError(t, err)
+
+				// Private key as string should be valid standard base64
+				_, err = base64.StdEncoding.DecodeString(privateKeyStr)
+				require.NoError(t, err)
+
+				// Private key should decode back to the original
+				privateKeyRoundTripped, err := PrivateKeyFromString(privateKeyStr)
+				require.NoError(t, err)
+				assert.Equal(t, privateKey, privateKeyRoundTripped)
+			})
+
+			publicKey := &privateKey.PublicKey
+
+			t.Run("public", func(t *testing.T) {
+				publicKeyStr, err := PublicKeyToString(publicKey)
+				require.NoError(t, err)
+
+				// Public key as string should be valid standard base64
+				_, err = base64.StdEncoding.DecodeString(publicKeyStr)
+				require.NoError(t, err)
+
+				// Public key should decode back to the original
+				publicKeyRoundTripped, err := PublicKeyFromString(publicKeyStr)
+				require.NoError(t, err)
+				assert.Equal(t, publicKey, publicKeyRoundTripped)
+			})
+		})
+	}
+}
diff --git a/exp/services/webauth/internal/serve/challenge.go b/exp/services/webauth/internal/serve/challenge.go
@@ -0,0 +1,56 @@
+package serve
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/stellar/go/keypair"
+	"github.com/stellar/go/strkey"
+	supportlog "github.com/stellar/go/support/log"
+	"github.com/stellar/go/support/render/httpjson"
+	"github.com/stellar/go/txnbuild"
+)
+
+// ChallengeHandler implements the SEP-10 challenge endpoint and handles
+// requests for a new challenge transaction.
+type challengeHandler struct {
+	Logger             *supportlog.Entry
+	ServerName         string
+	NetworkPassphrase  string
+	SigningKey         *keypair.Full
+	ChallengeExpiresIn time.Duration
+}
+
+type challengeResponse struct {
+	Transaction       string `json:"transaction"`
+	NetworkPassphrase string `json:"network_passphrase"`
+}
+
+func (h challengeHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	account := r.URL.Query().Get("account")
+	if !strkey.IsValidEd25519PublicKey(account) {
+		badRequest.Render(w)
+		return
+	}
+
+	tx, err := txnbuild.BuildChallengeTx(
+		h.SigningKey.Seed(),
+		account,
+		h.ServerName,
+		h.NetworkPassphrase,
+		h.ChallengeExpiresIn,
+	)
+	if err != nil {
+		h.Logger.Ctx(ctx).WithStack(err).Error(err)
+		serverError.Render(w)
+		return
+	}
+
+	res := challengeResponse{
+		Transaction:       tx,
+		NetworkPassphrase: h.NetworkPassphrase,
+	}
+	httpjson.Render(w, res, httpjson.JSON)
+}