From 9fb1768813ef7af3cb7c5d7707fe329e35fa3663 Mon Sep 17 00:00:00 2001 From: Andreas Henriksson Date: Thu, 8 May 2025 10:41:46 +0200 Subject: [PATCH] Revert "feat: Add support for signing/validating artifacts with Azure Key Vault" This reverts commit fc6532ad911b35339664f26c231695901af980de. (We're dropping the signer stuff in Debian because we don't have the required deps in place, thus we need to drop this which depends on that.) --- artifact/azure/signer.go | 143 --------------------------------------- cli/artifacts.go | 4 -- cli/cli.go | 19 ------ cli/validate.go | 3 + 4 files changed, 3 insertions(+), 166 deletions(-) delete mode 100644 artifact/azure/signer.go diff --git a/artifact/azure/signer.go b/artifact/azure/signer.go deleted file mode 100644 index c35c22d..0000000 --- a/artifact/azure/signer.go +++ /dev/null @@ -1,143 +0,0 @@ -// Copyright 2025 Northern.tech AS -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package azure - -import ( - "context" - "crypto/sha256" - "encoding/base64" - "fmt" - "os" - "regexp" - - "github.com/mendersoftware/mender-artifact/artifact" - - "github.com/Azure/azure-sdk-for-go/sdk/azidentity" - "github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys" - "github.com/lestrrat-go/jwx/jwk" - "github.com/pkg/errors" -) - -type azureClient interface { - GetKey(ctx context.Context, name string, version string, - options *azkeys.GetKeyOptions) (azkeys.GetKeyResponse, error) - Sign(ctx context.Context, name string, version string, parameters azkeys.SignParameters, - options *azkeys.SignOptions) (azkeys.SignResponse, error) -} - -type azureKeyVault struct { - keyName string - keyVersion string - client azureClient -} - -func NewKeyVaultSigner(keyName string) (*azureKeyVault, error) { - keyVaultName := os.Getenv("KEY_VAULT_NAME") - if keyVaultName == "" { - return nil, fmt.Errorf("azure: no key vault name specified") - } - if !validateName(keyVaultName) { - return nil, fmt.Errorf("azure: invalid key vault name: %s", keyVaultName) - } - keyVaultUrl := fmt.Sprintf("https://%s.vault.azure.net/", keyVaultName) - - // Key version is optional. If not set, it will use the latest key - keyVersion := os.Getenv("KEY_VAULT_KEY_VERSION") - cred, err := azidentity.NewDefaultAzureCredential(nil) - if err != nil { - return nil, errors.Wrap(err, "azure: failed to obtain credentials: %v") - } - client, err := azkeys.NewClient(keyVaultUrl, cred, nil) - if err != nil { - return nil, errors.Wrap(err, "azure: failed to create client") - } - - return &azureKeyVault{ - keyName: keyName, - keyVersion: keyVersion, - client: client, - }, nil -} - -func validateName(name string) bool { - r := regexp.MustCompile("^[a-zA-Z](-?[a-zA-Z0-9]+)*$") - return r.MatchString(name) && len(name) >= 3 && len(name) <= 24 -} - -func (k *azureKeyVault) Sign(message []byte) ([]byte, error) { - hash := sha256.Sum256(message) - keyType, err := k.getKeyType() - if err != nil { - return nil, err - } - - var algorithm azkeys.SignatureAlgorithm - switch *keyType { - case azkeys.KeyTypeEC: - algorithm = azkeys.SignatureAlgorithmES256 - case azkeys.KeyTypeRSA: - algorithm = azkeys.SignatureAlgorithmRS256 - default: - return nil, fmt.Errorf("azure: unsupported key type %s", *keyType) - } - resp, err := k.client.Sign(context.TODO(), k.keyName, k.keyVersion, azkeys.SignParameters{ - Algorithm: &algorithm, - Value: hash[:], - }, nil) - if err != nil { - return nil, errors.Wrap(err, "azure: failed to sign message") - } - sig := make([]byte, base64.StdEncoding.EncodedLen(len(resp.Result))) - base64.StdEncoding.Encode(sig, resp.Result) - return sig, nil -} - -func (k *azureKeyVault) Verify(message, sig []byte) error { - resp, err := k.client.GetKey(context.TODO(), k.keyName, k.keyVersion, nil) - if err != nil { - return errors.Wrap(err, "azure: failed to get key") - } - - dec := make([]byte, base64.StdEncoding.DecodedLen(len(sig))) - decLen, err := base64.StdEncoding.Decode(dec, sig) - if err != nil { - return errors.Wrap(err, "azure: error decoding signature") - } - buf, err := resp.Key.MarshalJSON() - if err != nil { - return errors.Wrap(err, "azure: error marshalling JSONWebKey") - } - key, err := jwk.ParseKey(buf) - if err != nil { - return errors.Wrap(err, "azure: error parsing JSON Web key") - } - keyPem, err := jwk.Pem(key) - if err != nil { - return errors.Wrap(err, "azure: error converting to PEM") - } - sm, err := artifact.GetKeyAndVerifyMethod(keyPem) - if err != nil { - return err - } - return sm.Method.Verify(message, dec[:decLen], sm.Key) -} - -func (k *azureKeyVault) getKeyType() (*azkeys.KeyType, error) { - resp, err := k.client.GetKey(context.TODO(), k.keyName, k.keyVersion, nil) - if err != nil { - return nil, errors.Wrap(err, "azure: failed to get key") - } - return resp.Key.Kty, nil -} diff --git a/cli/artifacts.go b/cli/artifacts.go index ddbc14d..6596a4d 100644 --- a/cli/artifacts.go +++ b/cli/artifacts.go @@ -23,7 +23,6 @@ import ( "github.com/mendersoftware/mender-artifact/areader" "github.com/mendersoftware/mender-artifact/artifact" - "github.com/mendersoftware/mender-artifact/artifact/azure" "github.com/mendersoftware/mender-artifact/artifact/gcp" "github.com/mendersoftware/mender-artifact/artifact/keyfactor" "github.com/mendersoftware/mender-artifact/artifact/vault" @@ -133,7 +132,6 @@ func getKey(c *cli.Context) (SigningKey, error) { "vault-transit-key", "key-pkcs11", "keyfactor-signserver-worker", - "azure-key", } for _, optName := range possibleOptions { if c.String(optName) == "" { @@ -184,8 +182,6 @@ func getKey(c *cli.Context) (SigningKey, error) { return artifact.NewPKCS11Signer(c.String("key-pkcs11")) case "keyfactor-signserver-worker": return keyfactor.NewSignServerSigner(c.String("keyfactor-signserver-worker")) - case "azure-key": - return azure.NewKeyVaultSigner(c.String("azure-key")) default: return nil, fmt.Errorf("unsupported signing key type %q", chosenOption) } diff --git a/cli/cli.go b/cli/cli.go index 67df007..55a73c4 100644 --- a/cli/cli.go +++ b/cli/cli.go @@ -161,17 +161,6 @@ func getCliContext() *cli.App { "the Artifact signature.", } - azureKeyFlag := cli.StringFlag{ - Name: "azure-key", - Usage: "Name of the Azure Key Vault key that will be used to sign the Artifact. " + - "This operation requires the keys/sign and keys/get permissions. Uses " + - "DefaultAzureCredential to authenticate, which tries to authenticate based " + - "on a credential chain, stopping when one provides a token. Need to set the " + - "KEY_VAULT_NAME environment variable for the key vault name. To use a " + - "specific key version, set the KEY_VAULT_KEY_VERSION environment variable. " + - "If not set, it will use the latest key.", - } - // // Common Artifact flags // @@ -277,7 +266,6 @@ func getCliContext() *cli.App { gcpKMSKeyFlag, vaultTransitKeyFlag, signserverWorkerName, - azureKeyFlag, cli.StringSliceFlag{ Name: "script, s", Usage: "Full path to the state script(s). You can specify multiple " + @@ -411,7 +399,6 @@ func getCliContext() *cli.App { gcpKMSKeyFlag, vaultTransitKeyFlag, signserverWorkerName, - azureKeyFlag, ////////////////////// // Sotware versions // ////////////////////// @@ -470,7 +457,6 @@ func getCliContext() *cli.App { gcpKMSKeyFlag, signserverWorkerName, vaultTransitKeyFlag, - azureKeyFlag, ///////////////////////// // Version 3 specifics.// ///////////////////////// @@ -508,7 +494,6 @@ func getCliContext() *cli.App { signserverWorkerName, vaultTransitKeyFlag, pkcs11Flag, - azureKeyFlag, }, } @@ -528,7 +513,6 @@ func getCliContext() *cli.App { signserverWorkerName, vaultTransitKeyFlag, pkcs11Flag, - azureKeyFlag, cli.BoolFlag{ Name: "no-progress", Usage: "Suppress the progressbar output", @@ -563,7 +547,6 @@ func getCliContext() *cli.App { Usage: "Force creating new signature if the artifact is already signed", }, pkcs11Flag, - azureKeyFlag, } // @@ -623,7 +606,6 @@ func getCliContext() *cli.App { signserverWorkerName, vaultTransitKeyFlag, compressionFlag, - azureKeyFlag, } modify.Before = func(c *cli.Context) error { if c.String("name") != "" { @@ -649,7 +631,6 @@ func getCliContext() *cli.App { gcpKMSKeyFlag, signserverWorkerName, vaultTransitKeyFlag, - azureKeyFlag, } cat := cli.Command{ diff --git a/cli/validate.go b/cli/validate.go index 5fc2248..29360a8 100644 --- a/cli/validate.go +++ b/cli/validate.go @@ -34,6 +34,9 @@ func validate(art io.Reader, key artifact.Verifier) error { ar := areader.NewReader(art) ar.VerifySignatureCallback = func(message, sig []byte) error { + if key == nil { + return nil + } if key != nil { if err := key.Verify(message, sig); err != nil { validationError = err -- 2.47.2