From: Andreas Henriksson Date: Sun, 5 Jan 2025 18:39:56 +0100 Subject: [PATCH] Revert "Merge pull request #559 from keyfactor-pub/master" This reverts commit 81447d4e0e4a84d8ee0e7790cbd63e31c53978a2, reversing changes made to 0acf01ad5caa06a95e299531f0f2fdf5f5492315. --- .gitlab-ci.yml | 4 - LIC_FILES_CHKSUM.sha256 | 1 - artifact/keyfactor/MenderSignServer.png | Bin 302903 -> 0 bytes artifact/keyfactor/README.md | 54 ------- artifact/keyfactor/signer.go | 247 -------------------------------- artifact/keyfactor/signer_test.go | 140 ------------------ cli/artifacts.go | 10 +- cli/cli.go | 15 -- cli/dump_test.go | 1 - cli/modify_existing_test.go | 2 - 10 files changed, 1 insertion(+), 473 deletions(-) delete mode 100644 artifact/keyfactor/MenderSignServer.png delete mode 100644 artifact/keyfactor/README.md delete mode 100644 artifact/keyfactor/signer.go delete mode 100644 artifact/keyfactor/signer_test.go diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 031ea4a..631f2d1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -29,10 +29,6 @@ variables: S3_BUCKET_PATH: "mender-artifact" DOCKER_BUILDKIT: 1 -test:check-license-source: - variables: - LICENSE_HEADERS_IGNORE_FILES_REGEXP: './artifact/keyfactor/\(signer\|signer_test\)\.go' - build:docker: image: docker needs: [] diff --git a/LIC_FILES_CHKSUM.sha256 b/LIC_FILES_CHKSUM.sha256 index a3b6726..31e1397 100644 --- a/LIC_FILES_CHKSUM.sha256 +++ b/LIC_FILES_CHKSUM.sha256 @@ -18,7 +18,6 @@ cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 vendor/github. dd26a7abddd02e2d0aba97805b31f248ef7835d9e10da289b22e3b8ab78b324d vendor/github.com/go-jose/go-jose/v3/json/LICENSE cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 vendor/github.com/go-jose/go-jose/v3/LICENSE cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 vendor/github.com/google/s2a-go/LICENSE.md -c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4 vendor/github.com/Keyfactor/signserver-go-client-sdk/LICENSE cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30 vendor/github.com/kylelemons/godebug/LICENSE c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4 vendor/go.opentelemetry.io/otel/trace/LICENSE c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4 vendor/go.opentelemetry.io/otel/LICENSE diff --git a/artifact/keyfactor/README.md b/artifact/keyfactor/README.md deleted file mode 100644 index e5b0e9b..0000000 --- a/artifact/keyfactor/README.md +++ /dev/null @@ -1,54 +0,0 @@ - -SignServer - - -# Keyfactor SignServer Signer for Mender Artifact - -The Keyfactor SignServer Signer for Mender Artifact is a custom signer for the [Mender](https://mender.io) OTA update manager. It uses [Keyfactor SignServer](https://www.keyfactor.com/products/signserver-enterprise/) to sign Mender Artifacts. - -Signing and Verification requests are forwarded to SignServer via the SignServer REST API, available in SignServer v6 and later. - -Keyfactor SignServer enables organizations to automate the signing of Mender artifacts with a secure, auditable, and compliant process. PKI resources are stored in a secure, centralized location, and signing operations are performed by a dedicated signing service. This ensures that signing keys are never exposed to the Mender server. Additionally, SignServer enables compliance with internal IT policy by enforcing access policies. - -![Keyfactor SignServer Signer for Mender Artifact](./MenderSignServer.png) - -## Requirements - -* [Keyfactor SignServer](https://www.keyfactor.com/products/signserver-enterprise/) 6.0 or later - * [Keyfactor SignServer Community Edition](https://www.signserver.org/) is also supported after version 6.0 - -## SignServer Configuration - -The SignServer Signer for Mender Artifact requires a SignServer PlainSigner worker. The worker must be configured with the following properties: - -| Property | Value | -|-----------------------------------|-----------------------------------------------| -| `ACCEPTED_HASH_DIGEST_ALGORITHMS` | `SHA-256, SHA-384, SHA-512` | -| `AUTHTYPE` | `NOAUTH` | -| `CRYPTOTOKEN` | `CryptoTokenP12` | -| `DEFAULTKEY` | `signer00003` | -| `DISABLEKEYUSAGECOUNTER` | `true` | -| `DO_LOGREQUEST_DIGEST` | | -| `IMPLEMENTATION_CLASS` | `org.signserver.module.cmssigner.PlainSigner` | -| `LOGREQUEST_DIGESTALGORITHM` | | -| `NAME` | `MenderPlainSigner` | -| `SIGNATUREALGORITHM` | `NONEwithRSA` | -| `TYPE` | `PROCESSABLE` | -| `CLIENTSIDEHASHING` | `true` | - -## Usage - -Authentication with the SignServer REST API is performed using a client certificate. The client certificate must be a PEM encoded X509v3 certificate with an unencrypted private key in PKCS#8 format. The certificate and private key can be stored in the same file or in separate files. The certificate and private key must be stored in a directory accessible to the context in which the signer is invoked. The following environment variables can be used to configure the signer: - -| Environment Variable | Description | Required | -|-----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|----------| -| `SIGNSERVER_HOSTNAME` | The host name of the SignServer instance to use for signing. | ✅ | -| `SIGNSERVER_CLIENT_CERT_PATH` | The path to the client certificate used to authenticate with the SignServer REST API. | ✅ | -| `SIGNSERVER_CLIENT_CERT_KEY_PATH` | The path to the private key for the client certificate. The signer will recognize if the private key is in the same file as the client certificate. | | -| `SIGNSERVER_CA_CERT_PATH` | The path to the root CA certificate (and any intermediates) used to verify the SignServer server certificate, if it wasn't signed by a trusted CA. | | - -To use the SignServer Signer for Mender Artifact, invoke the Mender Artifact CLI with the `--keyfactor-signserver-worker` option: - -```shell -mender-artifact sign --keyfactor-signserver-worker -``` \ No newline at end of file diff --git a/artifact/keyfactor/signer.go b/artifact/keyfactor/signer.go deleted file mode 100644 index f15d83f..0000000 --- a/artifact/keyfactor/signer.go +++ /dev/null @@ -1,247 +0,0 @@ -/* -Copyright 2023 The Keyfactor Command Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package keyfactor - -import ( - "context" - "crypto/ecdsa" - "crypto/ed25519" - "crypto/rsa" - "crypto/x509" - "encoding/base64" - "encoding/pem" - "errors" - "fmt" - - "github.com/mendersoftware/mender-artifact/artifact" - - "github.com/Keyfactor/signserver-go-client-sdk/api/signserver" - "github.com/minio/sha256-simd" -) - -type SignServerSigner struct { - client *signserver.APIClient - workerName string -} - -func NewSignServerSigner(workerName string) (*SignServerSigner, error) { - if workerName == "" { - return nil, errors.New("workerName must be set") - } - - // Create SignServer API Client - config := signserver.NewConfiguration() - - // Ensure that configuration picked up from environment variables - if config.Host == "" { - return nil, errors.New("SignServer Hostname must be set via environment variable " + - "SIGNSERVER_HOSTNAME") - } - if config.ClientCertificatePath == "" { - return nil, errors.New("SignServer Client Certificate Path must be set via " + - "environment variable SIGNSERVER_CLIENT_CERT_PATH") - } - // SignServer CA Certificate Path is optional - // SignServer Key Path is optional - It could be in the - // certificate pointed to by ClientCertificatePath - - // Create SignServer API Client - client, err := signserver.NewAPIClient(config) - if err != nil { - return nil, fmt.Errorf("error creating SignServer API client: %s", err.Error()) - } - - signserverSigner := &SignServerSigner{ - client: client, - workerName: workerName, - } - - return signserverSigner, nil -} - -func (s *SignServerSigner) Sign(message []byte) ([]byte, error) { - // Use the internal sign method to sign the message - signature, _, err := s.sign(message) - if err != nil { - return nil, err - } - - return signature, nil -} - -// sign signs the given message using the configured worker, -// and returns the signature and the signer's certificate. -func (s *SignServerSigner) sign(message []byte) ([]byte, *x509.Certificate, error) { - if s.workerName == "" { - return nil, nil, errors.New("workerName must be set") - } - - request := signserver.ProcessRequest{} - - // Calculate SHA-256 digest of message - hash := sha256.Sum256(message) - - // Base64 encode the digest - request.SetData(base64.StdEncoding.EncodeToString(hash[:])) - request.SetEncoding("BASE64") - - // Communicate to SignServer that the digest is already hashed, - // and that the hash algorithm is SHA-256 - // See https://doc.primekey.com/signserver/signserver-reference/client-side-hashing - request.SetMetaData(map[string]string{ - "USING_CLIENTSUPPLIED_HASH": "true", - "CLIENTSIDE_HASHDIGESTALGORITHM": "SHA-256", - }) - - // Use the configured worker to sign the digest - // This request uses the POST /workers/{idOrName}/process endpoint - // See https://doc.primekey.com/signserver/signserver-integration/rest-interface - signatureProps, _, err := s.client.WorkersAPI. - Sign(context.Background(), s.workerName). - ProcessRequest(request). - Execute() - if err != nil { - detail := fmt.Sprintf("failed to sign message with worker "+ - "called %s", s.workerName) - - var bodyError *signserver.GenericOpenAPIError - ok := errors.As(err, &bodyError) - if ok { - detail += fmt.Sprintf(" - %s", string(bodyError.Body())) - } - - return nil, nil, errors.New(detail) - } - - // SignServer returns the signer's certificate (public key) in Base64-encoded - // DER (PEM without header/footer) - // Decode the Base64 encoded DER - der, err := base64.StdEncoding.DecodeString(signatureProps.GetSignerCertificate()) - if err != nil { - return nil, nil, err - } - - // Parse the DER into a certificate object - certificate, err := x509.ParseCertificate(der) - if err != nil { - return nil, nil, err - } - - // The signature is also returned in Base64 encoded DER - // in the format of the signature algorithm configured - // on the worker. For example, if the worker's algorithm - // is configured as NONEwithRSA, then the signature algorithm - // will be RSASSA-PKCS1_v1.5 (PKCS#1 v1.5 signature with RSA) - - // See https://doc.primekey.com/signserver/ - // signserver-reference/signserver-workers/ - // signserver-signers/plain-signer/plain-signer-algorithm-support - signature := []byte(signatureProps.GetData()) - - // Return the signature and the signer's certificate - return signature, certificate, nil -} - -func (s *SignServerSigner) Verify(message, sig []byte) error { - // Get public key from SignServer - keyPem, err := s.getPublicKey() - if err != nil { - return err - } - - // Retrieve the appropriate verification method from the key in the PEM block - method, err := artifact.GetKeyAndVerifyMethod(keyPem) - if err != nil { - return err - } - - // Decode the signature from Base64 - dec := make([]byte, base64.StdEncoding.DecodedLen(len(sig))) - decLen, err := base64.StdEncoding.Decode(dec, sig) - if err != nil { - return fmt.Errorf("signer: error decoding signature: %s", err.Error()) - } - - // Verify the signature - return method.Method.Verify(message, dec[:decLen], method.Key) -} - -// getPublicKey returns the public key from the configured worker -// by signing a dummy message and extracting the -// signer's certificate. Public key is returned in PEM format. -func (s *SignServerSigner) getPublicKey() ([]byte, error) { - // Sign a dummy message - _, certificate, err := s.sign([]byte("dummy")) - if err != nil { - return nil, fmt.Errorf("failed to get public key from worker called %q: %s", - s.workerName, err.Error()) - } - - // Build the appropriate PEM block containing marshalled DER bytes and the appropriate header - var pemBlock *pem.Block - switch certificate.PublicKeyAlgorithm { - case x509.RSA: - pubKey, ok := certificate.PublicKey.(*rsa.PublicKey) - if !ok { - return nil, fmt.Errorf("failed to get public key from worker called %q: %s", - s.workerName, "failed to parse RSA public key") - } - derBytes, err := x509.MarshalPKIXPublicKey(pubKey) - if err != nil { - return nil, fmt.Errorf("failed to marshal RSA public key to DER: %v", err) - } - pemBlock = &pem.Block{ - Type: "RSA PUBLIC KEY", - Bytes: derBytes, - } - case x509.ECDSA: - pubKey, ok := certificate.PublicKey.(*ecdsa.PublicKey) - if !ok { - return nil, fmt.Errorf("failed to get public key from worker called %q: %s", - s.workerName, "failed to parse ECDSA public key") - } - derBytes, err := x509.MarshalPKIXPublicKey(pubKey) - if err != nil { - return nil, fmt.Errorf("failed to marshal ECDSA public key to DER: %v", err) - } - pemBlock = &pem.Block{ - Type: "ECDSA PUBLIC KEY", - Bytes: derBytes, - } - - case x509.Ed25519: - pubKey, ok := certificate.PublicKey.(ed25519.PublicKey) - if !ok { - return nil, fmt.Errorf("failed to get public key from worker called %q: %s", - s.workerName, "failed to parse Ed25519 public key") - } - derBytes, err := x509.MarshalPKIXPublicKey(pubKey) - if err != nil { - return nil, fmt.Errorf("failed to marshal Ed25519 public key to DER: %v", err) - } - pemBlock = &pem.Block{ - Type: "ED25519 PUBLIC KEY", - Bytes: derBytes, - } - default: - return nil, fmt.Errorf("unknown key type in certificate: %s", - certificate.PublicKeyAlgorithm.String()) - } - - // Encode the PEM block to PEM format - return pem.EncodeToMemory(pemBlock), nil -} diff --git a/artifact/keyfactor/signer_test.go b/artifact/keyfactor/signer_test.go deleted file mode 100644 index 042f2d6..0000000 --- a/artifact/keyfactor/signer_test.go +++ /dev/null @@ -1,140 +0,0 @@ -/* -Copyright © 2023 Keyfactor - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package keyfactor - -import ( - "crypto/x509" - "encoding/pem" - "github.com/stretchr/testify/assert" - "os" - "testing" -) - -// GetTestSigner -func GetTestSigner(t *testing.T) *SignServerSigner { - // Get the signer name from the environment - workerName := os.Getenv("SIGNSERVER_WORKER_NAME") - if workerName == "" { - t.Log("Skipping test until MEN-6895 is resolved") - t.Skip("SIGNSERVER_WORKER_NAME is not set") - } - - // Use NewSignServerSigner to create a new SignServerSigner - signer, err := NewSignServerSigner(workerName) - if err != nil { - t.Fatal(err) - } - - // Check that the signer is not nil - if signer == nil { - t.Fatal("signer is nil") - } - - // Check that the signer has a properly configured client - assert.NotNil(t, signer.client) - - // Check that the signer has a properly configured worker name - assert.Equal(t, workerName, signer.workerName) - - // Return the test signer - return signer -} - -func TestSignServerSigner_Sign(t *testing.T) { - // Get a test signer - signer := GetTestSigner(t) - - msg := []byte("some msg") - - // Sign the message - signature, err := signer.Sign(msg) - if err != nil { - t.Fatal(err) - } - - if len(signature) == 0 { - t.Fatal("signature is empty") - } -} - -func TestSignServerSigner_getPublicKey(t *testing.T) { - // Get a test signer - signer := GetTestSigner(t) - - keyPem, err := signer.getPublicKey() - if err != nil { - t.Fatal(err) - } - - // Decode the PEM block containing the public key - block, _ := pem.Decode(keyPem) - if block == nil { - t.Fatal("failed to decode PEM block containing public key") - } - - // Try to parse the key from the PEM block - If the key is invalid, this will fail - _, err = x509.ParsePKIXPublicKey(block.Bytes) - if err != nil { - t.Fatal(err) - } -} - -func TestSignServerSigner_SignAndVerify(t *testing.T) { - // Get a test signer - signer := GetTestSigner(t) - - msg := []byte("some msg") - - // Sign the message - signature, err := signer.Sign(msg) - if err != nil { - t.Fatal(err) - } - - if len(signature) == 0 { - t.Fatal("signature is empty") - } - - // Verify the signature - err = signer.Verify(msg, signature) - if err != nil { - t.Fatal(err) - } -} - -func TestSignServerSigner_SignAndVerifyInvalidSignature(t *testing.T) { - // Get a test signer - signer := GetTestSigner(t) - - msg := []byte("some msg") - - // Sign the message - signature, err := signer.Sign(msg) - if err != nil { - t.Fatal(err) - } - - if len(signature) == 0 { - t.Fatal("signature is empty") - } - - // Verify the signature - err = signer.Verify(msg, []byte("invalid signature")) - if err == nil { - t.Fatal("expected error") - } -} diff --git a/cli/artifacts.go b/cli/artifacts.go index c4765d7..302f5bb 100644 --- a/cli/artifacts.go +++ b/cli/artifacts.go @@ -25,7 +25,6 @@ import ( "github.com/mendersoftware/mender-artifact/areader" "github.com/mendersoftware/mender-artifact/artifact" "github.com/mendersoftware/mender-artifact/artifact/gcp" - "github.com/mendersoftware/mender-artifact/artifact/keyfactor" "github.com/mendersoftware/mender-artifact/awriter" "github.com/mendersoftware/mender-artifact/handlers" @@ -126,12 +125,7 @@ type SigningKey interface { func getKey(c *cli.Context) (SigningKey, error) { var chosenOptions []string - possibleOptions := []string{ - "key", - "gcp-kms-key", - "key-pkcs11", - "keyfactor-signserver-worker", - } + possibleOptions := []string{"key", "gcp-kms-key", "key-pkcs11"} for _, optName := range possibleOptions { if c.String(optName) == "" { continue @@ -177,8 +171,6 @@ func getKey(c *cli.Context) (SigningKey, error) { return gcp.NewKMSSigner(context.TODO(), c.String("gcp-kms-key")) case "key-pkcs11": return artifact.NewPKCS11Signer(c.String("key-pkcs11")) - case "keyfactor-signserver-worker": - return keyfactor.NewSignServerSigner(c.String("keyfactor-signserver-worker")) default: return nil, fmt.Errorf("unsupported signing key type %q", chosenOption) } diff --git a/cli/cli.go b/cli/cli.go index d96cd87..5896be3 100644 --- a/cli/cli.go +++ b/cli/cli.go @@ -134,13 +134,6 @@ func getCliContext() *cli.App { "the Artifact.", } - signserverWorkerName := cli.StringFlag{ - Name: "keyfactor-signserver-worker", - Usage: "The name of the SignServer worker that will be used to sign " + - "the Artifact. The worker name must be associated with a Plain Signer worker " + - "in SignServer. ", - } - pkcs11Flag := cli.StringFlag{ Name: "key-pkcs11", Usage: "Use PKCS#11 interface to sign and verify artifacts", @@ -255,7 +248,6 @@ func getCliContext() *cli.App { }, privateKeyFlag, gcpKMSKeyFlag, - signserverWorkerName, cli.StringSliceFlag{ Name: "script, s", Usage: "Full path to the state script(s). You can specify multiple " + @@ -387,7 +379,6 @@ func getCliContext() *cli.App { compressionFlag, privateKeyFlag, gcpKMSKeyFlag, - signserverWorkerName, ////////////////////// // Sotware versions // ////////////////////// @@ -440,7 +431,6 @@ func getCliContext() *cli.App { payloadDepends, privateKeyFlag, gcpKMSKeyFlag, - signserverWorkerName, ///////////////////////// // Version 3 specifics.// ///////////////////////// @@ -475,7 +465,6 @@ func getCliContext() *cli.App { Flags: []cli.Flag{ publicKeyFlag, gcpKMSKeyFlag, - signserverWorkerName, pkcs11Flag, }, } @@ -493,7 +482,6 @@ func getCliContext() *cli.App { Flags: []cli.Flag{ publicKeyFlag, gcpKMSKeyFlag, - signserverWorkerName, pkcs11Flag, cli.BoolFlag{ Name: "no-progress", @@ -517,7 +505,6 @@ func getCliContext() *cli.App { sign.Flags = []cli.Flag{ privateKeyFlag, gcpKMSKeyFlag, - signserverWorkerName, cli.StringFlag{ Name: "output-path, o", Usage: "Full path to output signed artifact file; " + @@ -584,7 +571,6 @@ func getCliContext() *cli.App { }, privateKeyFlag, gcpKMSKeyFlag, - signserverWorkerName, compressionFlag, } modify.Before = func(c *cli.Context) error { @@ -609,7 +595,6 @@ func getCliContext() *cli.App { compressionFlag, privateKeyFlag, gcpKMSKeyFlag, - signserverWorkerName, } cat := cli.Command{ diff --git a/cli/dump_test.go b/cli/dump_test.go index 6ad94ed..f9a6366 100644 --- a/cli/dump_test.go +++ b/cli/dump_test.go @@ -275,7 +275,6 @@ func testDumpContent(t *testing.T, imageType, printCmdline string) { "device-type", "file", "gcp-kms-key", // Not tested in "dump". - "keyfactor-signserver-worker", // Not tested in "dump". "key", // Not tested in "dump". "legacy-rootfs-image-checksum", // Not relevant for "dump", which uses "module-image". "meta-data", diff --git a/cli/modify_existing_test.go b/cli/modify_existing_test.go index 23ec13b..1efce1b 100644 --- a/cli/modify_existing_test.go +++ b/cli/modify_existing_test.go @@ -462,7 +462,6 @@ Updates: "device-type", "file", "gcp-kms-key", - "keyfactor-signserver-worker", "key", "output-path", "script", @@ -470,7 +469,6 @@ Updates: modifyFlagsTested.addFlags([]string{ "artifact-name", "gcp-kms-key", - "keyfactor-signserver-worker", "key", "name", })