summaryrefslogtreecommitdiff
path: root/pages/docs/design/bonafide.text
blob: 27f55881962ca567146b6033a2311d6c2c9a78fb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
@title = 'Bonafide'
@summary = 'Secure user registration, authentication, and provider discovery.'
@toc = true

h1. Introduction

Bonafide is a protocol that allows a user agent to communicate with a service provider. It includes the following capabilities:

* Discover basic information about a provider.
* Register a new account with a provider.
* Discover information about all the services offered by a provider.
* Authenticate with a provider.
* Destroy a user account.

Bonafide user SRP (Secure Remote Password) for password-based authentication.

h1. Configuration Files

h2. JSON files

h3. GET /provider.json

The @provider.json@ file includes basic information about a provider. The URL for provider.json is always the same for all providers (`http://DOMAIN/provider.json`). This is the basic 'bootstrap' file that informs the user agent what URLs to use for the other actions.

JSON files are always in UTF8. When loaded in the browser, they are not displayed in UTF8, so non-ascii characters look off, but the files are correct.

Here is an example `provider.json` (from https://demo.bitmask.net/provider.json):

bc.. {
  "api_uri": "https://api.demo.bitmask.net:4430",
  "api_version": "1",
  "ca_cert_fingerprint": "SHA256: 0f17c033115f6b76ff67871872303ff65034efe7dd1b910062ca323eb4da5c7e",
  "ca_cert_uri": "https://demo.bitmask.net/ca.crt",
  "default_language": "en",
  "description": {
    "en": "A demonstration provider."
  },
  "domain": "demo.bitmask.net",
  "enrollment_policy": "open",
  "languages": [
    "en"
  ],
  "name": {
    "en": "Bitmask"
  },
  "services": [
    "openvpn"
  ]
}

p. In this document, `API_BASE` consists of `api_uri/api_version`
TODO: define a schema for this file.

h3. GET API_BASE/configs.json

For each supported service code, `configs.json` lists the available configuration file. The service codes are listed in "services" in `provider.json`. A provider can use whatever service codes they want, but the user agent will only respond to the ones that it understands.

For example:

bc.. {
  "services":{
    "soledad":"/1/configs/soledad-service.json",
    "eip":"/1/configs/eip-service.json",
    "smtp":"/1/configs/smtp-service.json"
  }
}

h3. GET API_BASE/config/eip-service.json

e.g. https://api.bitmask.net:4430/1/config/eip-service.json

This file defines the "encrypted internet proxy" capabilities and gateways. The actual URL that should be used to fetch this is specified in the response from @/1/configs.json@.

h2. Keys

h3. GET /ca.crt

e.g. https://bitmask.net/ca.crt

This is the CA certificate for the provider. It is used to validate servers when not using the web browser. In particular, for OpenVPN. The URL for this is the same for all providers. The fingerprint for this CA cert should be distributed with the client whenever possible.


h1. REST API

h2. Version

The API_BASE for the webapp API is constructed from 'api_uri' and 'api_version' from provider.json.

For example, given this in provider.json:

<code>
{
  "api_uri": "https://api.bitmask.net:4430",
  "api_version": "1",
}
</code>

The API_BASE would be https://api.bitmask.net:4430/1

The API_VERSION will increment if breaking changes to the api are made. The API might be enhanced without incrementing the version. For Version 1 this may include sending additional data in json responses.

h2. Session

h3. Handshake

Starts authentication process (values A and B are part of the two step SRP authentication process).

<table class="table table-bordered table-striped">
<thead>
  <tr>
    <th colspan="2">POST API / sessions(.json)</th>
  </tr>
</thead>
<tr>
  <td>Query params:</td>
  <td>@{"A": "12…345", "login": "swq055"}@</td>
</tr>
<tr>
  <td>Response:</td>
  <td>200 @{"B": "17…651", "salt": "A13CDE"}@</td>
</tr>
</table>

If the query_params leave out the @A@, then no @B@ will be included and only the salt for the given login send out:

<table class="table table-bordered table-striped">
<thead>
  <tr>
    <th colspan="2">POST API / sessions(.json)</th>
  </tr>
</thead>
<tr>
  <td>Query params:</td>
  <td>@{"login": "swq055"}@</td>
</tr>
<tr>
  <td>Response:</td>
  <td>200 @{"salt": "A13CDE"}@</td>
</tr>
</table>

h3. Authenticate

Finishes authentication handshake, after which the user is successfully authenticated (assuming no errors). This needs to be run after the Handshake.

<table class="table table-bordered table-striped">
<thead>
  <tr>
    <th colspan="2">PUT API / sessions/:login(.json)</th>
  </tr>
</thead>
<tr>
  <td>Query params:</td>
  <td>@{"client_auth": "123…45", "A": "12…345"}@</td>
</tr>
<tr>
  <td>Response:</td>
  <td>200 @{"M2": "A123BC", "id": "234863", "token": "Aenfw893-zh"}@</td>
</tr>
<tr>
  <td>Error Response:</td>
  <td>500 @{"field":"password","error":"wrong password"}@</td>
</tr>
</table>

Variables:

* *A*: same as A param from the first Handshake request (POST).
* *client_auth*: SRP authentication value M, calculated by client.
* *M2*: Server response for SRP.
* *id*: User id for updating user record
* *token*: Unique identifier used to authenticate the user (until the session expires).

h3. Token Authentication

Tokens returned by the authentication request are used to authenticate further requests to the API and stored as a Hash in the couch database. Soledad directly queries the couch database to ensure the authentication of a user. It compares a hash of the token to the one stored in the database. Hashing prevents timing attacks.

h3. Logout

Destroy the current session and invalidate the token. Requires authentication.

<table class="table table-bordered table-striped">
<thead>
  <tr>
    <th colspan="2">DELETE API / logout(.json)</th>
  </tr>
</thead>
<tr>
  <td>Query params:</td>
  <td>@{"login": "swq055"}@</td>
</tr>
<tr>
  <td>Response:</td>
  <td>204 NO CONTENT</td>
</tr>
</table>

h2. Certificates

h3. Get a VPN client certificate

The client certificate will be a "free" cert unless client is authenticated.

<table class="table table-bordered table-striped">
<thead>
  <tr>
    <th colspan="2">POST API / cert</th>
  </tr>
</thead>
<tr>
  <td>Response:</td>
  <td>200 @PEM ENCODED CERT@</td>
</tr>
</table>

The response also includes the corresponding private key.

h3. Get a SMTP client certificate

The client certificate will include the user's email address and the fingerprint will be stored with the users identity and the date it was created. Authentication is required.

<table class="table table-bordered table-striped">
<thead>
  <tr>
    <th colspan="2">POST API / smtp_cert</th>
  </tr>
</thead>
<tr>
  <td>Response:</td>
  <td>200 @PEM ENCODED CERT@</td>
</tr>
</table>

The response also includes the corresponding private key.

h2. Users

h3. Signup

Create a new user.

<table class="table table-bordered table-striped">
<thead>
  <tr>
    <th colspan="2">POST API / users(.json)</th>
  </tr>
</thead>
<tr>
  <td>Query params:</td>
  <td>@{"user[password_salt]": "5A...21", "user[password_verifier]": "12...45", "user[login]": "that_s_me"}@</td>
</tr>
<tr>
  <td>Response:</td>
  <td>200 @{"password_salt":"5A...21","login":"that_s_me"}@</td>
</tr>
</table>

h3. Update user record

Update information about the user. Requires Authentication.

<table class="table table-bordered table-striped">
<thead>
  <tr>
    <th colspan="2">PUT API /users/:uid(.json)</th>
  </tr>
</thead>
<tr>
  <td>Query params:</td>
  <td>@{"user[param1]": "value1", "user[param2]": "value2" }@</td>
</tr>
<tr>
  <td>Response:</td>
  <td>204 @NO CONTENT@</td>
</tr>
</table>

Possible parameters to update:

* @login@ (requires @password_verifier@)
* @password_verifier@ combined with @salt@
* @public_key@