TrustStore: Add signer

go/lib/infra/modules/trust/v2/BUILD.bazel

@@ -12,17 +12,20 @@ go_library(
         "resolver.go",
         "router.go",
         "rpc.go",
+        "signer.go",
     ],
     importpath = "github.com/scionproto/scion/go/lib/infra/modules/trust/v2",
     visibility = ["//visibility:public"],
     deps = [
         "//go/lib/addr:go_default_library",
         "//go/lib/common:go_default_library",
+        "//go/lib/ctrl:go_default_library",
         "//go/lib/ctrl/cert_mgmt:go_default_library",
         "//go/lib/infra:go_default_library",
         "//go/lib/infra/messenger:go_default_library",
         "//go/lib/infra/modules/db:go_default_library",
         "//go/lib/infra/modules/trust/v2/internal/decoded:go_default_library",
+        "//go/lib/keyconf:go_default_library",
         "//go/lib/log:go_default_library",
         "//go/lib/scrypto:go_default_library",
         "//go/lib/scrypto/cert/v2:go_default_library",
@@ -46,6 +49,7 @@ go_test(
         "recurser_test.go",
         "resolver_test.go",
         "router_test.go",
+        "signer_test.go",
     ],
     data = [
         "//go/lib/infra/modules/trust/v2/testdata:crypto_tar",
@@ -54,11 +58,13 @@ go_test(
     deps = [
         "//go/lib/addr:go_default_library",
         "//go/lib/common:go_default_library",
+        "//go/lib/ctrl:go_default_library",
         "//go/lib/ctrl/cert_mgmt:go_default_library",
         "//go/lib/infra:go_default_library",
         "//go/lib/infra/mock_infra:go_default_library",
         "//go/lib/infra/modules/trust/v2/internal/decoded:go_default_library",
         "//go/lib/infra/modules/trust/v2/mock_v2:go_default_library",
+        "//go/lib/keyconf:go_default_library",
         "//go/lib/log:go_default_library",
         "//go/lib/scrypto:go_default_library",
         "//go/lib/scrypto/cert/v2:go_default_library",

go/lib/infra/modules/trust/v2/main_test.go

@@ -26,6 +26,7 @@ import (
 
 	"github.com/scionproto/scion/go/lib/addr"
 	"github.com/scionproto/scion/go/lib/infra/modules/trust/v2/internal/decoded"
+	"github.com/scionproto/scion/go/lib/keyconf"
 	"github.com/scionproto/scion/go/lib/log"
 	"github.com/scionproto/scion/go/lib/scrypto"
 	"github.com/scionproto/scion/go/lib/scrypto/cert/v2"
@@ -138,3 +139,12 @@ func loadChain(t *testing.T, desc ChainDesc) decoded.Chain {
 	require.NoError(t, err, help)
 	return chain
 }
+
+func loadPrivateKey(t *testing.T, id keyconf.ID) keyconf.Key {
+	t.Helper()
+	file := filepath.Join(tmpDir, fmt.Sprintf("ISD%d/AS%s/keys", id.IA.I, id.IA.A.FileFmt()),
+		keyconf.PrivateKeyFile(id.Usage, id.Version))
+	key, err := keyconf.LoadKeyFromFile(file, keyconf.PrivateKey, id)
+	require.NoError(t, err, help)
+	return key
+}

go/lib/infra/modules/trust/v2/mock_v2/BUILD.bazel

@@ -10,6 +10,7 @@ go_library(
         "//go/lib/infra:go_default_library",
         "//go/lib/infra/modules/trust/v2:go_default_library",
         "//go/lib/infra/modules/trust/v2/internal/decoded:go_default_library",
+        "//go/lib/keyconf:go_default_library",
         "//go/lib/scrypto:go_default_library",
         "//go/lib/scrypto/trc/v2:go_default_library",
         "@com_github_golang_mock//gomock:go_default_library",

go/lib/infra/modules/trust/v2/signer.go

@@ -0,0 +1,166 @@
+// Copyright 2019 Anapaya Systems
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package trust
+
+import (
+	"bytes"
+	"context"
+
+	"github.com/scionproto/scion/go/lib/addr"
+	"github.com/scionproto/scion/go/lib/ctrl"
+	"github.com/scionproto/scion/go/lib/infra"
+	"github.com/scionproto/scion/go/lib/infra/modules/trust/v2/internal/decoded"
+	"github.com/scionproto/scion/go/lib/keyconf"
+	"github.com/scionproto/scion/go/lib/scrypto"
+	"github.com/scionproto/scion/go/lib/scrypto/cert/v2"
+	"github.com/scionproto/scion/go/lib/serrors"
+	"github.com/scionproto/scion/go/proto"
+)
+
+// KeyRing provides different private keys.
+type KeyRing interface {
+	// PrivateKey returns the private key for the given usage and version. If it
+	// is not in the key ring, an error is returned.
+	PrivateKey(usage keyconf.Usage, version scrypto.KeyVersion) (keyconf.Key, error)
+}
+
+// SignerConf holds the configuration of a signer.
+type SignerConf struct {
+	ChainVer scrypto.Version
+	TRCVer   scrypto.Version
+	Validity scrypto.Validity
+	Key      keyconf.Key
+}
+
+// Validate validates that the signer config is valid.
+func (cfg SignerConf) Validate() error {
+	switch {
+	case cfg.ChainVer.IsLatest():
+		return serrors.New("chain version is latest")
+	case cfg.TRCVer.IsLatest():
+		return serrors.New("TRC version is latest")
+	case cfg.Key.IA.IsWildcard():
+		return serrors.New("wildcard IA")
+	case cfg.Key.Type != keyconf.PrivateKey:
+		return serrors.New("wrong key type", "type", cfg.Key.Type)
+	}
+	if _, err := signTypeFromAlgo(cfg.Key.Algorithm); err != nil {
+		return err
+	}
+	return nil
+}
+
+// Signer is used to sign control plane data authenticated by certificate chains.
+type Signer struct {
+	cfg      SignerConf
+	signType proto.SignType
+	src      []byte
+}
+
+// NewSigner constructs a new signer.
+func NewSigner(cfg SignerConf) (*Signer, error) {
+	if err := cfg.Validate(); err != nil {
+		return nil, err
+	}
+	signType, _ := signTypeFromAlgo(cfg.Key.Algorithm)
+	src := ctrl.SignSrcDef{
+		IA:       cfg.Key.IA,
+		ChainVer: cfg.ChainVer,
+		TRCVer:   cfg.TRCVer,
+	}
+	s := &Signer{
+		signType: signType,
+		src:      src.Pack(),
+		cfg:      cfg,
+	}
+	return s, nil
+}
+
+// Sign signs the message.
+func (s *Signer) Sign(msg []byte) (*proto.SignS, error) {
+	var err error
+	sign := proto.NewSignS(s.signType, append(s.src[:0:0], s.src...))
+	sign.Signature, err = scrypto.Sign(sign.SigInput(msg, true),
+		s.cfg.Key.Bytes, s.cfg.Key.Algorithm)
+	if err != nil {
+		return nil, err
+	}
+	return sign, nil
+}
+
+// Meta returns the meta data the signer uses when signing.
+func (s *Signer) Meta() infra.SignerMeta {
+	return infra.SignerMeta{
+		Src: ctrl.SignSrcDef{
+			IA:       s.cfg.Key.IA,
+			ChainVer: s.cfg.ChainVer,
+			TRCVer:   s.cfg.TRCVer,
+		},
+		ExpTime: s.cfg.Validity.NotAfter.Time,
+		Algo:    s.cfg.Key.Algorithm,
+	}
+}
+
+// SignerGen generates signers based on the certificate chains and keys that are
+// available.
+type SignerGen struct {
+	IA       addr.IA
+	KeyRing  KeyRing
+	Provider CryptoProvider
+}
+
+// Signer returns the active signer.
+func (g *SignerGen) Signer(ctx context.Context) (*Signer, error) {
+	raw, err := g.Provider.GetRawChain(ctx, g.IA, scrypto.LatestVer, infra.ChainOpts{}, nil)
+	if err != nil {
+		return nil, serrors.WrapStr("error fetching latest chain", err)
+	}
+	dec, err := decoded.DecodeChain(raw)
+	if err != nil {
+		return nil, err
+	}
+	priv, err := g.KeyRing.PrivateKey(keyconf.ASSigningKey, dec.AS.Keys[cert.SigningKey].KeyVersion)
+	if err != nil {
+		return nil, serrors.WrapStr("private key not found", err,
+			"key_version", dec.AS.Keys[cert.SigningKey].KeyVersion)
+	}
+	pub, err := scrypto.GetPubKey(priv.Bytes, priv.Algorithm)
+	if err != nil {
+		return nil, serrors.WrapStr("unable to compute public key", err)
+	}
+	if !bytes.Equal(dec.AS.Keys[cert.SigningKey].Key, pub) {
+		return nil, serrors.WrapStr("public key does not match", err,
+			"chain_version", dec.AS.Version)
+	}
+	trc, err := g.Provider.GetTRC(ctx, g.IA.I, scrypto.LatestVer, infra.TRCOpts{})
+	if err != nil {
+		return nil, serrors.WrapStr("unable to get latest TRC", err)
+	}
+	return NewSigner(SignerConf{
+		ChainVer: dec.AS.Version,
+		TRCVer:   trc.Version,
+		Validity: *dec.AS.Validity,
+		Key:      priv,
+	})
+}
+
+func signTypeFromAlgo(algo string) (proto.SignType, error) {
+	switch algo {
+	case scrypto.Ed25519:
+		return proto.SignType_ed25519, nil
+	default:
+		return proto.SignType_none, serrors.New("unsupported signing algorithm", "algo", algo)
+	}
+}