fix(gateway): verify client signature before payload_hash
ARCHITECTURE.md §15 "Verification order" specifies signature verification (step 4) before payload_hash (step 5), but the authenticated-edge decorator chain wrapped the payload-hash gate outside the signature gate, so the hash was checked first. gateway/README.md and gateway/docs/flows.md had drifted to match the code (hash-first), leaving ARCHITECTURE.md as the lone source describing the intended order. Swap the two decorators in server.go so the signature gate runs first, and align README + flows.md to ARCHITECTURE.md. Signature-first is the cryptographically sound order: the signature covers the payload_hash field, so the request is authenticated before any of its content is processed. Observable side effect: a request carrying a tampered payload_hash whose signature was computed over the original hash is now rejected at the signature gate (UNAUTHENTICATED "invalid request signature") instead of the hash gate (INVALID_ARGUMENT). Security is unchanged — both refusals happen before the payload is handled. The four payload-hash unit tests re-sign over the tampered hash so they keep exercising the hash gate; the cross-service integration test signs over the overridden hash and already accepts both codes. Refs #39 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Ilia Denisov
+2
-2
@@ -579,8 +579,8 @@ ingress.
|
|||||||
2. Check whether `protocol_version` is supported.
|
2. Check whether `protocol_version` is supported.
|
||||||
3. Resolve `device_session_id` through `SessionCache`.
|
3. Resolve `device_session_id` through `SessionCache`.
|
||||||
4. Reject unknown or revoked sessions.
|
4. Reject unknown or revoked sessions.
|
||||||
5. Verify that `payload_hash` matches raw `payload_bytes`.
|
5. Verify the client signature using the public key from session cache.
|
||||||
6. Verify the client signature using the public key from session cache.
|
6. Verify that `payload_hash` matches raw `payload_bytes`.
|
||||||
7. Verify that `timestamp_ms` is inside the accepted freshness window.
|
7. Verify that `timestamp_ms` is inside the accepted freshness window.
|
||||||
8. Verify anti-replay by checking `device_session_id + request_id`.
|
8. Verify anti-replay by checking `device_session_id + request_id`.
|
||||||
9. Apply authenticated rate limit and edge policy checks.
|
9. Apply authenticated rate limit and edge policy checks.
|
||||||
|
|||||||
@@ -38,8 +38,8 @@ sequenceDiagram
|
|||||||
Gateway->>Gateway: validate envelope + protocol_version
|
Gateway->>Gateway: validate envelope + protocol_version
|
||||||
Gateway->>Backend: GET /api/v1/internal/sessions/{device_session_id}
|
Gateway->>Backend: GET /api/v1/internal/sessions/{device_session_id}
|
||||||
Backend-->>Gateway: session record
|
Backend-->>Gateway: session record
|
||||||
Gateway->>Gateway: verify payload_hash
|
|
||||||
Gateway->>Gateway: verify Ed25519 signature
|
Gateway->>Gateway: verify Ed25519 signature
|
||||||
|
Gateway->>Gateway: verify payload_hash
|
||||||
Gateway->>Gateway: verify freshness window
|
Gateway->>Gateway: verify freshness window
|
||||||
Gateway->>Replay: reserve(device_session_id, request_id, ttl)
|
Gateway->>Replay: reserve(device_session_id, request_id, ttl)
|
||||||
Replay-->>Gateway: accepted
|
Replay-->>Gateway: accepted
|
||||||
|
|||||||
@@ -12,8 +12,8 @@ import (
|
|||||||
"google.golang.org/grpc/status"
|
"google.golang.org/grpc/status"
|
||||||
)
|
)
|
||||||
|
|
||||||
// payloadHashVerifyingService applies payload-hash verification after session
|
// payloadHashVerifyingService applies payload-hash verification after
|
||||||
// lookup and before any later auth or routing step runs.
|
// client-signature verification and before any later auth or routing step runs.
|
||||||
type payloadHashVerifyingService struct {
|
type payloadHashVerifyingService struct {
|
||||||
edgev1.UnimplementedGatewayServer
|
edgev1.UnimplementedGatewayServer
|
||||||
|
|
||||||
|
|||||||
@@ -27,6 +27,9 @@ func TestExecuteCommandRejectsPayloadHashWithInvalidLength(t *testing.T) {
|
|||||||
|
|
||||||
req := newValidExecuteCommandRequest()
|
req := newValidExecuteCommandRequest()
|
||||||
req.PayloadHash = []byte("short")
|
req.PayloadHash = []byte("short")
|
||||||
|
// Signature verification now precedes the payload-hash gate, so re-sign
|
||||||
|
// over the tampered hash to keep the signature valid and exercise the gate.
|
||||||
|
req.Signature = signRequest(req.GetProtocolVersion(), req.GetDeviceSessionId(), req.GetMessageType(), req.GetTimestampMs(), req.GetRequestId(), req.GetPayloadHash())
|
||||||
|
|
||||||
_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(req))
|
_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(req))
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
@@ -51,6 +54,9 @@ func TestExecuteCommandRejectsPayloadHashMismatch(t *testing.T) {
|
|||||||
req := newValidExecuteCommandRequest()
|
req := newValidExecuteCommandRequest()
|
||||||
sum := sha256.Sum256([]byte("other"))
|
sum := sha256.Sum256([]byte("other"))
|
||||||
req.PayloadHash = sum[:]
|
req.PayloadHash = sum[:]
|
||||||
|
// Signature verification now precedes the payload-hash gate, so re-sign
|
||||||
|
// over the tampered hash to keep the signature valid and exercise the gate.
|
||||||
|
req.Signature = signRequest(req.GetProtocolVersion(), req.GetDeviceSessionId(), req.GetMessageType(), req.GetTimestampMs(), req.GetRequestId(), req.GetPayloadHash())
|
||||||
|
|
||||||
_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(req))
|
_, err := client.ExecuteCommand(context.Background(), connect.NewRequest(req))
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
@@ -74,6 +80,9 @@ func TestSubscribeEventsRejectsPayloadHashWithInvalidLength(t *testing.T) {
|
|||||||
|
|
||||||
req := newValidSubscribeEventsRequest()
|
req := newValidSubscribeEventsRequest()
|
||||||
req.PayloadHash = []byte("short")
|
req.PayloadHash = []byte("short")
|
||||||
|
// Signature verification now precedes the payload-hash gate, so re-sign
|
||||||
|
// over the tampered hash to keep the signature valid and exercise the gate.
|
||||||
|
req.Signature = signRequest(req.GetProtocolVersion(), req.GetDeviceSessionId(), req.GetMessageType(), req.GetTimestampMs(), req.GetRequestId(), req.GetPayloadHash())
|
||||||
|
|
||||||
err := subscribeEventsError(t, context.Background(), client, req)
|
err := subscribeEventsError(t, context.Background(), client, req)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
@@ -98,6 +107,9 @@ func TestSubscribeEventsRejectsPayloadHashMismatch(t *testing.T) {
|
|||||||
req := newValidSubscribeEventsRequest()
|
req := newValidSubscribeEventsRequest()
|
||||||
sum := sha256.Sum256([]byte("other"))
|
sum := sha256.Sum256([]byte("other"))
|
||||||
req.PayloadHash = sum[:]
|
req.PayloadHash = sum[:]
|
||||||
|
// Signature verification now precedes the payload-hash gate, so re-sign
|
||||||
|
// over the tampered hash to keep the signature valid and exercise the gate.
|
||||||
|
req.Signature = signRequest(req.GetProtocolVersion(), req.GetDeviceSessionId(), req.GetMessageType(), req.GetTimestampMs(), req.GetRequestId(), req.GetPayloadHash())
|
||||||
|
|
||||||
err := subscribeEventsError(t, context.Background(), client, req)
|
err := subscribeEventsError(t, context.Background(), client, req)
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
|
|||||||
@@ -128,8 +128,8 @@ func NewServer(cfg config.AuthenticatedGRPCConfig, deps ServerDependencies) *Ser
|
|||||||
cfg: cfg,
|
cfg: cfg,
|
||||||
service: newEnvelopeValidatingService(
|
service: newEnvelopeValidatingService(
|
||||||
newSessionLookupService(
|
newSessionLookupService(
|
||||||
newPayloadHashVerifyingService(
|
|
||||||
newSignatureVerifyingService(
|
newSignatureVerifyingService(
|
||||||
|
newPayloadHashVerifyingService(
|
||||||
newFreshnessAndReplayService(
|
newFreshnessAndReplayService(
|
||||||
newAuthenticatedRateLimitService(
|
newAuthenticatedRateLimitService(
|
||||||
finalService,
|
finalService,
|
||||||
|
|||||||
@@ -12,8 +12,8 @@ import (
|
|||||||
"google.golang.org/grpc/status"
|
"google.golang.org/grpc/status"
|
||||||
)
|
)
|
||||||
|
|
||||||
// signatureVerifyingService applies client-signature verification after
|
// signatureVerifyingService applies client-signature verification after session
|
||||||
// payload integrity checks and before later auth or routing steps run.
|
// lookup and before payload-hash verification and later routing steps run.
|
||||||
type signatureVerifyingService struct {
|
type signatureVerifyingService struct {
|
||||||
edgev1.UnimplementedGatewayServer
|
edgev1.UnimplementedGatewayServer
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user