From e6dc293c3a7da4f6ab851cc28871399d754c9293 Mon Sep 17 00:00:00 2001 From: James Pickett Date: Wed, 22 May 2024 11:34:49 -0700 Subject: [PATCH 1/2] make kolide info table hw keys consistent on all platforms --- .../secureenclavesigner_darwin.go | 41 ++++++++++--------- pkg/osquery/table/launcher_info.go | 12 +++++- 2 files changed, 33 insertions(+), 20 deletions(-) diff --git a/ee/secureenclavesigner/secureenclavesigner_darwin.go b/ee/secureenclavesigner/secureenclavesigner_darwin.go index 381e804d0..17621a37d 100644 --- a/ee/secureenclavesigner/secureenclavesigner_darwin.go +++ b/ee/secureenclavesigner/secureenclavesigner_darwin.go @@ -7,6 +7,8 @@ import ( "context" "crypto" "crypto/ecdsa" + "crypto/x509" + "encoding/base64" "encoding/json" "errors" "fmt" @@ -123,11 +125,6 @@ func (ses *secureEnclaveSigner) Sign(rand io.Reader, digest []byte, opts crypto. return nil, fmt.Errorf("not implemented") } -type keyData struct { - Uid string `json:"uid"` - PubKey string `json:"pub_key"` -} - func (ses *secureEnclaveSigner) currentConsoleUserKey(ctx context.Context) (*ecdsa.PublicKey, error) { ctx, span := traces.StartSpan(ctx) defer span.End() @@ -167,22 +164,18 @@ func (ses *secureEnclaveSigner) currentConsoleUserKey(ctx context.Context) (*ecd } func (ses *secureEnclaveSigner) MarshalJSON() ([]byte, error) { - var keyDatas []keyData + keyMap := make(map[string]string) for uid, pubKey := range ses.uidPubKeyMap { - pubKeyBytes, err := echelper.PublicEcdsaToB64Der(pubKey) + pubKeyBytes, err := x509.MarshalPKIXPublicKey(pubKey) if err != nil { return nil, fmt.Errorf("converting public key to b64 der: %w", err) } - keyDatas = append(keyDatas, keyData{ - Uid: uid, - PubKey: string(pubKeyBytes), - }) - + keyMap[uid] = base64.StdEncoding.EncodeToString(pubKeyBytes) } - return json.Marshal(keyDatas) + return json.Marshal(keyMap) } func (ses *secureEnclaveSigner) UnmarshalJSON(data []byte) error { @@ -190,18 +183,28 @@ func (ses *secureEnclaveSigner) UnmarshalJSON(data []byte) error { ses.uidPubKeyMap = make(map[string]*ecdsa.PublicKey) } - var keyDatas []keyData - if err := json.Unmarshal(data, &keyDatas); err != nil { + var keyMap map[string]string + if err := json.Unmarshal(data, &keyMap); err != nil { return fmt.Errorf("unmarshalling key data: %w", err) } - for _, kd := range keyDatas { - pubKey, err := echelper.PublicB64DerToEcdsaKey([]byte(kd.PubKey)) + for k, v := range keyMap { + decoded, err := base64.StdEncoding.DecodeString(v) + if err != nil { + return fmt.Errorf("decoding base64: %w", err) + } + + pubKey, err := x509.ParsePKIXPublicKey(decoded) if err != nil { - return fmt.Errorf("converting public key to ecdsa: %w", err) + return fmt.Errorf("parsing PXIXPublicKey: %w", err) + } + + ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey) + if !ok { + return fmt.Errorf("public key is not ecdsa") } - ses.uidPubKeyMap[kd.Uid] = pubKey + ses.uidPubKeyMap[k] = ecdsaPubKey } return nil diff --git a/pkg/osquery/table/launcher_info.go b/pkg/osquery/table/launcher_info.go index efbfb4b17..925e30183 100644 --- a/pkg/osquery/table/launcher_info.go +++ b/pkg/osquery/table/launcher_info.go @@ -112,8 +112,18 @@ func generateLauncherInfoTable(store types.GetterSetter) table.GenerateFunc { } if hardwareKeyDer, err := x509.MarshalPKIXPublicKey(agent.HardwareKeys().Public()); err == nil { + // on non-darwin we'll only have 1 key for the entire machine, but we want to keep format consistent with darwin + // so just return a map with 0 as the uid + jsonBytes, err := json.Marshal(map[string]string{ + "0": base64.StdEncoding.EncodeToString(hardwareKeyDer), + }) + + if err != nil { + return nil, fmt.Errorf("marshalling hardware keys: %w", err) + } + // der is a binary format, so convert to b64 - results[0]["hardware_key"] = base64.StdEncoding.EncodeToString(hardwareKeyDer) + results[0]["hardware_key"] = string(jsonBytes) results[0]["hardware_key_source"] = agent.HardwareKeys().Type() } From 41351b66e851ef6cd98d82487a821ab8aa63eeb4 Mon Sep 17 00:00:00 2001 From: James Pickett Date: Wed, 22 May 2024 11:42:55 -0700 Subject: [PATCH 2/2] format error msg --- ee/secureenclavesigner/secureenclavesigner_darwin.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ee/secureenclavesigner/secureenclavesigner_darwin.go b/ee/secureenclavesigner/secureenclavesigner_darwin.go index 17621a37d..0ed580063 100644 --- a/ee/secureenclavesigner/secureenclavesigner_darwin.go +++ b/ee/secureenclavesigner/secureenclavesigner_darwin.go @@ -169,7 +169,7 @@ func (ses *secureEnclaveSigner) MarshalJSON() ([]byte, error) { for uid, pubKey := range ses.uidPubKeyMap { pubKeyBytes, err := x509.MarshalPKIXPublicKey(pubKey) if err != nil { - return nil, fmt.Errorf("converting public key to b64 der: %w", err) + return nil, fmt.Errorf("marshalling to PXIX public key: %w", err) } keyMap[uid] = base64.StdEncoding.EncodeToString(pubKeyBytes) @@ -196,7 +196,7 @@ func (ses *secureEnclaveSigner) UnmarshalJSON(data []byte) error { pubKey, err := x509.ParsePKIXPublicKey(decoded) if err != nil { - return fmt.Errorf("parsing PXIXPublicKey: %w", err) + return fmt.Errorf("parsing PXIX public key: %w", err) } ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)