Use standard system package for ECDSA verification and add tests

packaging/aleph-vm/DEBIAN/control

@@ -3,6 +3,6 @@ Version: 0.1.8
 Architecture: all
 Maintainer: Aleph.im
 Description: Aleph.im VM execution engine
-Depends: python3,python3-pip,python3-aiohttp,python3-msgpack,python3-aiodns,python3-alembic,python3-sqlalchemy,python3-setproctitle,redis,python3-aioredis,python3-psutil,sudo,acl,curl,systemd-container,squashfs-tools,debootstrap,python3-packaging,python3-cpuinfo,python3-nftables,python3-jsonschema,cloud-image-utils,ndppd,python3-yaml,python3-dotenv,python3-schedule,qemu-system-x86,qemu-utils,python3-systemd,python3-dbus,btrfs-progs,nftables
+Depends: python3,python3-pip,python3-aiohttp,python3-msgpack,python3-aiodns,python3-alembic,python3-sqlalchemy,python3-setproctitle,redis,python3-aioredis,python3-psutil,sudo,acl,curl,systemd-container,squashfs-tools,debootstrap,python3-packaging,python3-cpuinfo,python3-nftables,python3-jsonschema,cloud-image-utils,ndppd,python3-yaml,python3-dotenv,python3-schedule,qemu-system-x86,qemu-utils,python3-systemd,python3-dbus,btrfs-progs,nftables,python3-jwcrypto
 Section: aleph-im
 Priority: Extra

pyproject.toml

@@ -30,7 +30,6 @@ dependencies = [
   "setproctitle==1.3.3",
   "pyyaml==6.0.1",
   "aleph-message==0.4.4",
-  "jwskate==0.8.0",
   "eth-account~=0.10",
   "sentry-sdk==1.31.0",
   "aioredis==1.3.1",
@@ -51,6 +50,7 @@ dependencies = [
   "alembic==1.13.1",
   "aiohttp_cors~=0.7.0",
   "pyroute2==0.7.12",
+  "jwcrypto==1.5.6",
 ]
 
 [project.urls]

src/aleph/vm/controllers/qemu/QEMU.md

@@ -8,7 +8,7 @@ These are installable via
 
 This branch depends on the version 0.4.1 of `aleph-message` that add the `hypervisor` field. The easiest way is to install tha version using `pip install -e .`
 
-To create a local venv use the `--system-site-packages` option so it can acess nftables 
+To create a local venv use the `--system-site-packages` option so it can access nftables 
 
 ## To test launching a VM instance
 

src/aleph/vm/orchestrator/views/authentication.py

@@ -1,28 +1,31 @@
+# Keep datetime import as is as it allow patching in test
+import datetime
 import functools
 import json
 import logging
 from collections.abc import Awaitable, Coroutine
-from datetime import datetime, timedelta, timezone
 from typing import Any, Callable, Literal, Union
 
+import cryptography.exceptions
 import pydantic
 from aiohttp import web
 from eth_account import Account
 from eth_account.messages import encode_defunct
-from jwskate import Jwk
+from jwcrypto import jwk, jws
+from jwcrypto.jwa import JWA
 from pydantic import BaseModel, ValidationError, root_validator, validator
 
 from aleph.vm.conf import settings
 
 logger = logging.getLogger(__name__)
 
 
-def is_token_still_valid(timestamp):
+def is_token_still_valid(datestr: str):
     """
     Checks if a token has expired based on its expiry timestamp
     """
-    current_datetime = datetime.now(tz=timezone.utc)
-    expiry_datetime = datetime.fromisoformat(timestamp)
+    current_datetime = datetime.datetime.now(tz=datetime.timezone.utc)
+    expiry_datetime = datetime.datetime.fromisoformat(datestr.replace("Z", "+00:00"))
 
     return expiry_datetime > current_datetime
 
@@ -48,9 +51,9 @@
     expires: str
 
     @property
-    def json_web_key(self) -> Jwk:
+    def json_web_key(self) -> jwk.JWK:
         """Return the ephemeral public key as Json Web Key"""
-        return Jwk(self.pubkey)
+        return jwk.JWK(**self.pubkey)
 
 
 class SignedPubKeyHeader(BaseModel):
@@ -95,16 +98,16 @@
 
 
 class SignedOperationPayload(BaseModel):
-    time: datetime
+    time: datetime.datetime
     method: Union[Literal["POST"], Literal["GET"]]
     path: str
     # body_sha256: str  # disabled since there is no body
 
     @validator("time")
-    def time_is_current(cls, v: datetime) -> datetime:
+    def time_is_current(cls, v: datetime.datetime) -> datetime.datetime:
         """Check that the time is current and the payload is not a replay attack."""
-        max_past = datetime.now(tz=timezone.utc) - timedelta(minutes=2)
-        max_future = datetime.now(tz=timezone.utc) + timedelta(minutes=2)
+        max_past = datetime.datetime.now(tz=datetime.timezone.utc) - datetime.timedelta(minutes=2)
+        max_future = datetime.datetime.now(tz=datetime.timezone.utc) + datetime.timedelta(minutes=2)
         if v < max_past:
             raise ValueError("Time is too far in the past")
         if v > max_future:
@@ -154,13 +157,17 @@
         raise web.HTTPBadRequest(reason="Invalid X-SignedPubKey fields") from error
     except json.JSONDecodeError as error:
         raise web.HTTPBadRequest(reason="Invalid X-SignedPubKey format") from error
-    except ValueError as error:
-        if error.args == ("Token expired",):
-            raise web.HTTPUnauthorized(reason="Token expired") from error
-        elif error.args == ("Invalid signature",):
-            raise web.HTTPUnauthorized(reason="Invalid signature") from error
+    except ValueError as errors:
+        logging.debug(errors)
+        for err in errors.args[0]:
+            if isinstance(err.exc, json.JSONDecodeError):
+                raise web.HTTPBadRequest(reason="Invalid X-SignedPubKey format") from errors
+            if str(err.exc) == "Token expired":
+                raise web.HTTPUnauthorized(reason="Token expired") from errors
+            if str(err.exc) == "Invalid signature":
+                raise web.HTTPUnauthorized(reason="Invalid signature") from errors
         else:
-            raise error
+            raise errors
 
 
 def get_signed_operation(request: web.Request) -> SignedOperation:
@@ -179,14 +186,14 @@
 
 def verify_signed_operation(signed_operation: SignedOperation, signed_pubkey: SignedPubKeyHeader) -> str:
     """Verify that the operation is signed by the ephemeral key authorized by the wallet."""
-    if signed_pubkey.content.json_web_key.verify(
-        data=signed_operation.payload,
-        signature=signed_operation.signature,
-        alg="ES256",
-    ):
+    pubkey = signed_pubkey.content.json_web_key
+
+    try:
+        JWA.signing_alg("ES256").verify(pubkey, signed_operation.payload, signed_operation.signature)
         logger.debug("Signature verified")
         return signed_pubkey.content.address
-    else:
+    except cryptography.exceptions.InvalidSignature as e:
+        logger.debug("Failing to validate signature for operation", e)
         raise web.HTTPUnauthorized(reason="Signature could not verified")
 
 
@@ -225,6 +232,10 @@
             authenticated_sender: str = await authenticate_jwk(request)
         except web.HTTPException as e:
             return web.json_response(data={"error": e.reason}, status=e.status)
+        except Exception as e:
+            # Unexpected make sure to log it
+            logging.exception(e)
+            raise
 
         response = await handler(request, authenticated_sender)
         return response