Skip to content

Add signature verification to V2 tool install endpoint #826

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Sep 26, 2023
Merged

Add signature verification to V2 tool install endpoint #826

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e6e85f9
modify examples
umbynos Sep 6, 2023
5e98b76
add signature
umbynos Sep 6, 2023
a6f13f8
goa gen github.com/arduino/arduino-create-agent/design
umbynos Sep 6, 2023
6d4a2ca
make signatureKey global
umbynos Sep 6, 2023
da360fc
move `verifyCommandLine` to utilities package
umbynos Sep 6, 2023
200777e
implement signature verification in case of tool install with URL
umbynos Sep 6, 2023
a839105
use subtests and add test cases
umbynos Sep 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
move verifyCommandLine to utilities package
  • Loading branch information
@umbynos
umbynos committed Sep 25, 2023
commit da360fcee3b1abd2746196cdd24f76712d11b875
26 changes: 1 addition & 25 deletions conn.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,7 @@ package main

import (
"bytes"
"crypto"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"encoding/hex"
"encoding/json"
"encoding/pem"
"errors"
"fmt"
"net/http"
"os"
Expand Down Expand Up @@ -114,7 +107,7 @@ func uploadHandler(c *gin.Context) {
return
}

err := verifyCommandLine(data.Commandline, data.Signature)
err := utilities.VerifyInput(data.Commandline, data.Signature)

if err != nil {
c.String(http.StatusBadRequest, "signature is invalid")
Expand Down Expand Up @@ -219,23 +212,6 @@ func send(args map[string]string) {
h.broadcastSys <- mapB
}

func verifyCommandLine(input string, signature string) error {
sign, _ := hex.DecodeString(signature)
block, _ := pem.Decode([]byte(*signatureKey))
if block == nil {
return errors.New("invalid key")
}
key, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return err
}
rsaKey := key.(*rsa.PublicKey)
h := sha256.New()
h.Write([]byte(input))
d := h.Sum(nil)
return rsa.VerifyPKCS1v15(rsaKey, crypto.SHA256, d, sign)
}

func wsHandler() *WsServer {
server, err := socketio.NewServer(nil)
if err != nil {
Expand Down
27 changes: 27 additions & 0 deletions utilities/utilities.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@ package utilities
import (
"archive/zip"
"bytes"
"crypto"
"crypto/rsa"
"crypto/sha256"
"crypto/x509"
"encoding/hex"
"encoding/pem"
"errors"
"fmt"
"io"
Expand All @@ -26,6 +32,8 @@ import (
"path"
"path/filepath"
"strings"

"github.com/arduino/arduino-create-agent/globals"
)

// SaveFileonTempDir creates a temp directory and saves the file data as the
Expand Down Expand Up @@ -162,3 +170,22 @@ func SafeJoin(parent, subdir string) (string, error) {
}
return res, nil
}

// VerifyInput will verify an input against a signature
// A valid signature is indicated by returning a nil error.
func VerifyInput(input string, signature string) error {
sign, _ := hex.DecodeString(signature)
block, _ := pem.Decode([]byte(globals.SignatureKey))
if block == nil {
return errors.New("invalid key")
}
key, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return err
}
rsaKey := key.(*rsa.PublicKey)
h := sha256.New()
h.Write([]byte(input))
d := h.Sum(nil)
return rsa.VerifyPKCS1v15(rsaKey, crypto.SHA256, d, sign)
}