From a286c1e183b9889636b8af9a379a9435cc896f9e Mon Sep 17 00:00:00 2001 From: seph Date: Thu, 12 Jan 2023 15:43:14 -0500 Subject: [PATCH 01/20] refactor1 --- ee/localserver/server.go | 2 +- pkg/osquery/extension.go | 10 ++++++++-- pkg/osquery/extension_test.go | 2 +- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/ee/localserver/server.go b/ee/localserver/server.go index b9e05ee1e..009c0d8db 100644 --- a/ee/localserver/server.go +++ b/ee/localserver/server.go @@ -68,7 +68,7 @@ func New(logger log.Logger, db *bbolt.DB, kolideServer string) (*localServer, er } // Consider polling this on an interval, so we get updates. - privateKey, err := osquery.PrivateKeyFromDB(db) + privateKey, err := osquery.PrivateRSAKeyFromDB(db) if err != nil { return nil, fmt.Errorf("fetching private key: %w", err) } diff --git a/pkg/osquery/extension.go b/pkg/osquery/extension.go index 444fc311e..5eedbcb60 100644 --- a/pkg/osquery/extension.go +++ b/pkg/osquery/extension.go @@ -234,6 +234,12 @@ func (e *Extension) getHostIdentifier() (string, error) { return IdentifierFromDB(e.db) } +// SetupLauncherKeys configures the various keys used for communication. +// +// There are 3 keys: +// 1. The RSA key. This is stored in the launcher DB, and was the first key used by krypto. We are deprecating it. +// 2. The hardware keys -- these are in the secure enclave (TPM or Apple's thing) These are used to identify the device +// 3. The launcher install key -- this is an ECC key that is sometimes used in conjunction with (2) func SetupLauncherKeys(db *bbolt.DB) error { err := db.Update(func(tx *bbolt.Tx) error { @@ -287,8 +293,8 @@ func SetupLauncherKeys(db *bbolt.DB) error { } -// PrivateKeyFromDB returns the private launcher key. This is used to authenticate various launcher communications. -func PrivateKeyFromDB(db *bbolt.DB) (*rsa.PrivateKey, error) { +// PrivateRSAKeyFromDB returns the private launcher key. This is the old key used to authenticate various launcher communications. +func PrivateRSAKeyFromDB(db *bbolt.DB) (*rsa.PrivateKey, error) { var privateKey []byte if err := db.View(func(tx *bbolt.Tx) error { diff --git a/pkg/osquery/extension_test.go b/pkg/osquery/extension_test.go index 22d83aa6b..7acb21519 100644 --- a/pkg/osquery/extension_test.go +++ b/pkg/osquery/extension_test.go @@ -1024,7 +1024,7 @@ func TestLauncherKeys(t *testing.T) { _, err := NewExtension(m, db, ExtensionOpts{EnrollSecret: "enroll_secret"}) require.NoError(t, err) - key, err := PrivateKeyFromDB(db) + key, err := PrivateRSAKeyFromDB(db) require.NoError(t, err) pubkeyPem, fingerprintStored, err := PublicKeyFromDB(db) From 64038f5ff8ea5a6b67d9891c551a4ebdaac0dfa6 Mon Sep 17 00:00:00 2001 From: seph Date: Thu, 12 Jan 2023 15:50:28 -0500 Subject: [PATCH 02/20] refactor2 --- pkg/osquery/extension.go | 72 +++++++++++++++++++++++----------------- 1 file changed, 41 insertions(+), 31 deletions(-) diff --git a/pkg/osquery/extension.go b/pkg/osquery/extension.go index 5eedbcb60..f2c9c2780 100644 --- a/pkg/osquery/extension.go +++ b/pkg/osquery/extension.go @@ -248,49 +248,59 @@ func SetupLauncherKeys(db *bbolt.DB) error { return fmt.Errorf("creating bucket: %w", err) } - // This only checks the private key, but it should possibly check all the values we're setting. - if bucket.Get([]byte(privateKeyKey)) != nil { - return nil + if err := ensureRsaKey(bucket); err != nil { + return fmt.Errorf("ensuring rsa key: %w", err) } - key, err := rsaRandomKey() - if err != nil { - return fmt.Errorf("generating key: %w", err) - } + return nil + }) - fingerprint, err := rsaFingerprint(key) - if err != nil { - return fmt.Errorf("generating fingerprint: %w", err) - } + return err +} - var pub bytes.Buffer - if err := RsaPrivateKeyToPem(key, &pub); err != nil { - return fmt.Errorf("marshalling pub: %w", err) - } +// ensureRsaKey will create an RSA key in the launcher DB if one does not already exist. This is the old key that krypto used. We are moving away from it. +func ensureRsaKey(bucket *bbolt.Bucket) error { + // If it exists, we're good + if bucket.Get([]byte(privateKeyKey)) != nil { + return nil + } - keyDer, err := x509.MarshalPKCS8PrivateKey(key) - if err != nil { - return fmt.Errorf("marshalling key: %w", err) - } + // Create a random key + key, err := rsaRandomKey() + if err != nil { + return fmt.Errorf("generating key: %w", err) + } - if err := bucket.Put([]byte(privateKeyKey), keyDer); err != nil { - return fmt.Errorf("storing key: %w", err) - } + // Storing the finger print is probably bad idea, but we made that choice in the past and now we live with it. + fingerprint, err := rsaFingerprint(key) + if err != nil { + return fmt.Errorf("generating fingerprint: %w", err) + } - if err := bucket.Put([]byte(publicKeyKey), pub.Bytes()); err != nil { - return fmt.Errorf("storing public key: %w", err) + var pub bytes.Buffer + if err := RsaPrivateKeyToPem(key, &pub); err != nil { + return fmt.Errorf("marshalling pub: %w", err) + } - } + keyDer, err := x509.MarshalPKCS8PrivateKey(key) + if err != nil { + return fmt.Errorf("marshalling key: %w", err) + } - if err := bucket.Put([]byte(keyFingerprintKey), []byte(fingerprint)); err != nil { - return fmt.Errorf("storing fingerprint: %w", err) - } + if err := bucket.Put([]byte(privateKeyKey), keyDer); err != nil { + return fmt.Errorf("storing key: %w", err) + } - return nil - }) + if err := bucket.Put([]byte(publicKeyKey), pub.Bytes()); err != nil { + return fmt.Errorf("storing public key: %w", err) - return err + } + + if err := bucket.Put([]byte(keyFingerprintKey), []byte(fingerprint)); err != nil { + return fmt.Errorf("storing fingerprint: %w", err) + } + return nil } // PrivateRSAKeyFromDB returns the private launcher key. This is the old key used to authenticate various launcher communications. From 59d5a7354b51224af26cce690c0ebf4c913b4b4b Mon Sep 17 00:00:00 2001 From: seph Date: Thu, 12 Jan 2023 17:31:12 -0500 Subject: [PATCH 03/20] refactor3 --- pkg/osquery/extension.go | 78 +++++++++++++++++++++++----------------- 1 file changed, 45 insertions(+), 33 deletions(-) diff --git a/pkg/osquery/extension.go b/pkg/osquery/extension.go index f2c9c2780..07c85ba44 100644 --- a/pkg/osquery/extension.go +++ b/pkg/osquery/extension.go @@ -3,6 +3,9 @@ package osquery import ( "bytes" "context" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" "crypto/rsa" "crypto/x509" "encoding/binary" @@ -85,9 +88,11 @@ const ( // DB key for last retrieved config configKey = "config" // DB keys for the rsa keys - privateKeyKey = "privateKey" - publicKeyKey = "publicKey" - keyFingerprintKey = "keyFingerprint" + privateKeyKey = "privateKey" + + // Old things to delete + xPublicKeyKey = "publicKey" + xKeyFingerprintKey = "keyFingerprint" // Default maximum number of bytes per batch (used if not specified in // options). This 3MB limit is chosen based on the default grpc-go @@ -248,16 +253,40 @@ func SetupLauncherKeys(db *bbolt.DB) error { return fmt.Errorf("creating bucket: %w", err) } + // Soon-to-be-deprecated RSA keys if err := ensureRsaKey(bucket); err != nil { return fmt.Errorf("ensuring rsa key: %w", err) } + // Remove things we don't keep in the bucket any more + for _, k := range []string{xPublicKeyKey, xKeyFingerprintKey} { + if err := bucket.Delete([]byte(k)); err != nil { + return fmt.Errorf("deleting %s: %w", k, err) + } + } + return nil + }) return err } +func ensureHardwareKey(bucket *bbolt.Bucket) error { + return nil +} + +func ensureEccKey(bucket *bbolt.Bucket) error { + // This should, maybe, move this generate into krypto. Not sure + key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + return fmt.Errorf("generating ecc key: %w", err) + } + + _ = key + return nil +} + // ensureRsaKey will create an RSA key in the launcher DB if one does not already exist. This is the old key that krypto used. We are moving away from it. func ensureRsaKey(bucket *bbolt.Bucket) error { // If it exists, we're good @@ -271,17 +300,6 @@ func ensureRsaKey(bucket *bbolt.Bucket) error { return fmt.Errorf("generating key: %w", err) } - // Storing the finger print is probably bad idea, but we made that choice in the past and now we live with it. - fingerprint, err := rsaFingerprint(key) - if err != nil { - return fmt.Errorf("generating fingerprint: %w", err) - } - - var pub bytes.Buffer - if err := RsaPrivateKeyToPem(key, &pub); err != nil { - return fmt.Errorf("marshalling pub: %w", err) - } - keyDer, err := x509.MarshalPKCS8PrivateKey(key) if err != nil { return fmt.Errorf("marshalling key: %w", err) @@ -291,15 +309,6 @@ func ensureRsaKey(bucket *bbolt.Bucket) error { return fmt.Errorf("storing key: %w", err) } - if err := bucket.Put([]byte(publicKeyKey), pub.Bytes()); err != nil { - return fmt.Errorf("storing public key: %w", err) - - } - - if err := bucket.Put([]byte(keyFingerprintKey), []byte(fingerprint)); err != nil { - return fmt.Errorf("storing fingerprint: %w", err) - } - return nil } @@ -330,19 +339,22 @@ func PrivateRSAKeyFromDB(db *bbolt.DB) (*rsa.PrivateKey, error) { // PublicKeyFromDB returns the public portions of the launcher key. This is exposed in various launcher info structures. func PublicKeyFromDB(db *bbolt.DB) (string, string, error) { - var publicKey []byte - var fingerprint []byte + privateKey, err := PrivateRSAKeyFromDB(db) + if err != nil { + return "", "", fmt.Errorf("error reading private key info from db: %w", err) + } - if err := db.View(func(tx *bbolt.Tx) error { - b := tx.Bucket([]byte(configBucket)) - publicKey = b.Get([]byte(publicKeyKey)) - fingerprint = b.Get([]byte(keyFingerprintKey)) - return nil - }); err != nil { - return "", "", fmt.Errorf("error reading public key info from db: %w", err) + fingerprint, err := rsaFingerprint(privateKey) + if err != nil { + return "", "", fmt.Errorf("error generating fingerprint: %w", err) + } + + var publicKey bytes.Buffer + if err := RsaPrivateKeyToPem(privateKey, &publicKey); err != nil { + return "", "", fmt.Errorf("marshalling pub: %w", err) } - return string(publicKey), string(fingerprint), nil + return publicKey.String(), fingerprint, nil } // IdentifierFromDB returns the built-in launcher identifier from the config bucket. From b51d4c9e6b2404fd7d010c8d10e5cae3700de1ba Mon Sep 17 00:00:00 2001 From: seph Date: Thu, 12 Jan 2023 17:32:43 -0500 Subject: [PATCH 04/20] add ecc keys --- pkg/osquery/extension.go | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/pkg/osquery/extension.go b/pkg/osquery/extension.go index 07c85ba44..0966aa6eb 100644 --- a/pkg/osquery/extension.go +++ b/pkg/osquery/extension.go @@ -88,7 +88,8 @@ const ( // DB key for last retrieved config configKey = "config" // DB keys for the rsa keys - privateKeyKey = "privateKey" + privateKeyKey = "privateKey" + privateEccKeyKey = "privateEccKey" // Old things to delete xPublicKeyKey = "publicKey" @@ -258,6 +259,11 @@ func SetupLauncherKeys(db *bbolt.DB) error { return fmt.Errorf("ensuring rsa key: %w", err) } + // ECC keys. These are meant as launcher install keus + if err := ensureEccKey(bucket); err != nil { + return fmt.Errorf("ensuring ecc key: %w", err) + } + // Remove things we don't keep in the bucket any more for _, k := range []string{xPublicKeyKey, xKeyFingerprintKey} { if err := bucket.Delete([]byte(k)); err != nil { @@ -277,13 +283,26 @@ func ensureHardwareKey(bucket *bbolt.Bucket) error { } func ensureEccKey(bucket *bbolt.Bucket) error { + // If it exists, we're good + if bucket.Get([]byte(privateEccKeyKey)) != nil { + return nil + } + // This should, maybe, move this generate into krypto. Not sure key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { return fmt.Errorf("generating ecc key: %w", err) } - _ = key + keyDer, err := x509.MarshalPKCS8PrivateKey(key) + if err != nil { + return fmt.Errorf("marshalling key: %w", err) + } + + if err := bucket.Put([]byte(privateEccKeyKey), keyDer); err != nil { + return fmt.Errorf("storing key: %w", err) + } + return nil } From e79c34f1b037de939f8c64f9d1b73b550c225d9b Mon Sep 17 00:00:00 2001 From: seph Date: Thu, 12 Jan 2023 19:26:19 -0500 Subject: [PATCH 05/20] maybe? Need to see where James goes --- pkg/osquery/extension.go | 42 +++++++++++++++++++++++++++--- pkg/osquery/extension_test.go | 4 +-- pkg/osquery/keys.go | 12 +++++++++ pkg/osquery/table/launcher_info.go | 18 ++++++++++++- 4 files changed, 69 insertions(+), 7 deletions(-) diff --git a/pkg/osquery/extension.go b/pkg/osquery/extension.go index 0966aa6eb..f75fa055d 100644 --- a/pkg/osquery/extension.go +++ b/pkg/osquery/extension.go @@ -3,6 +3,7 @@ package osquery import ( "bytes" "context" + "crypto" "crypto/ecdsa" "crypto/elliptic" "crypto/rand" @@ -306,6 +307,39 @@ func ensureEccKey(bucket *bbolt.Bucket) error { return nil } +func PrivateECCKeyFromDB(db *bbolt.DB) (*ecdsa.PrivateKey, error) { + var privateKey []byte + + if err := db.View(func(tx *bbolt.Tx) error { + b := tx.Bucket([]byte(configBucket)) + privateKey = b.Get([]byte(privateEccKeyKey)) + return nil + }); err != nil { + return nil, fmt.Errorf("error reading private key info from db: %w", err) + } + + key, err := x509.ParsePKCS8PrivateKey(privateKey) + if err != nil { + return nil, fmt.Errorf("error parsing private key: %w", err) + } + + ecckey, ok := key.(*ecdsa.PrivateKey) + if !ok { + return nil, errors.New("Private key is not an rsa key") + } + + return ecckey, nil +} + +func PublicECCKeyFromDB(db *bbolt.DB) (crypto.PublicKey, error) { + privateKey, err := PrivateECCKeyFromDB(db) + if err != nil { + return nil, fmt.Errorf("reading private key: %w", err) + } + + return privateKey.Public(), nil +} + // ensureRsaKey will create an RSA key in the launcher DB if one does not already exist. This is the old key that krypto used. We are moving away from it. func ensureRsaKey(bucket *bbolt.Bucket) error { // If it exists, we're good @@ -356,16 +390,16 @@ func PrivateRSAKeyFromDB(db *bbolt.DB) (*rsa.PrivateKey, error) { return rsakey, nil } -// PublicKeyFromDB returns the public portions of the launcher key. This is exposed in various launcher info structures. -func PublicKeyFromDB(db *bbolt.DB) (string, string, error) { +// PublicRSAKeyFromDB returns the public portions of the launcher key. This is exposed in various launcher info structures. +func PublicRSAKeyFromDB(db *bbolt.DB) (string, string, error) { privateKey, err := PrivateRSAKeyFromDB(db) if err != nil { - return "", "", fmt.Errorf("error reading private key info from db: %w", err) + return "", "", fmt.Errorf("reading private key: %w", err) } fingerprint, err := rsaFingerprint(privateKey) if err != nil { - return "", "", fmt.Errorf("error generating fingerprint: %w", err) + return "", "", fmt.Errorf("generating fingerprint: %w", err) } var publicKey bytes.Buffer diff --git a/pkg/osquery/extension_test.go b/pkg/osquery/extension_test.go index 7acb21519..10bd7542f 100644 --- a/pkg/osquery/extension_test.go +++ b/pkg/osquery/extension_test.go @@ -1014,7 +1014,7 @@ func TestExtensionWriteResults(t *testing.T) { assert.Equal(t, expectedResults, gotResults) } -func TestLauncherKeys(t *testing.T) { +func TestLauncherRsaKeys(t *testing.T) { t.Parallel() m := &mock.KolideService{} @@ -1027,7 +1027,7 @@ func TestLauncherKeys(t *testing.T) { key, err := PrivateRSAKeyFromDB(db) require.NoError(t, err) - pubkeyPem, fingerprintStored, err := PublicKeyFromDB(db) + pubkeyPem, fingerprintStored, err := PublicRSAKeyFromDB(db) require.NoError(t, err) fingerprint, err := rsaFingerprint(key) diff --git a/pkg/osquery/keys.go b/pkg/osquery/keys.go index 37c00d1bf..e6cfde338 100644 --- a/pkg/osquery/keys.go +++ b/pkg/osquery/keys.go @@ -75,3 +75,15 @@ func KeyFromPem(pemRaw []byte) (interface{}, error) { return nil, fmt.Errorf("Unknown block type: %s", block.Type) } + +func PublicKeyToPem(pub any, out io.Writer) error { + der, err := x509.MarshalPKIXPublicKey(pub) + if err != nil { + return fmt.Errorf("pkix marshalling: %w", err) + } + + return pem.Encode(out, &pem.Block{ + Type: "PUBLIC KEY", + Bytes: der, + }) +} diff --git a/pkg/osquery/table/launcher_info.go b/pkg/osquery/table/launcher_info.go index 8e20ceb82..615d649e0 100644 --- a/pkg/osquery/table/launcher_info.go +++ b/pkg/osquery/table/launcher_info.go @@ -1,6 +1,7 @@ package table import ( + "bytes" "context" "runtime" @@ -23,6 +24,13 @@ func LauncherInfoTable(db *bbolt.DB) *table.Plugin { table.TextColumn("version"), table.TextColumn("identifier"), table.TextColumn("osquery_instance_id"), + + // Various identifying keys + table.TextColumn("launcher_public_key"), + table.TextColumn("hardware_public_key"), + table.TextColumn("combined_key"), + + // Old RSA Key table.TextColumn("fingerprint"), table.TextColumn("public_key"), } @@ -42,7 +50,7 @@ func generateLauncherInfoTable(db *bbolt.DB) table.GenerateFunc { return nil, err } - publicKey, fingerprint, err := osquery.PublicKeyFromDB(db) + publicKey, fingerprint, err := osquery.PublicRSAKeyFromDB(db) if err != nil { // No logger here, so we can't easily log. Move on with blank values publicKey = "" @@ -66,6 +74,14 @@ func generateLauncherInfoTable(db *bbolt.DB) table.GenerateFunc { }, } + // No logger, so just ignore errors. generate the pem encoding if we can. + if eccKey, err := osquery.PublicECCKeyFromDB(db); err == nil { + var pem bytes.Buffer + if err := osquery.PublicKeyToPem(eccKey, &pem); err == nil { + results[0]["launcher_public_key"] = pem.String() + } + } + return results, nil } } From 747861ffed0c1739d4b0276588483b30defa4234 Mon Sep 17 00:00:00 2001 From: seph Date: Mon, 23 Jan 2023 00:24:02 -0500 Subject: [PATCH 06/20] initial ecc --- pkg/agent/keys.go | 72 ++++++++++++++++++++++++++++++++++++++++ pkg/agent/keys_darwin.go | 63 +++++++++++++++++++++++++++++++++++ pkg/agent/keys_tpm.go | 41 +++++++++++++++++++++++ 3 files changed, 176 insertions(+) create mode 100644 pkg/agent/keys.go create mode 100644 pkg/agent/keys_darwin.go create mode 100644 pkg/agent/keys_tpm.go diff --git a/pkg/agent/keys.go b/pkg/agent/keys.go new file mode 100644 index 000000000..2fcb7a5e8 --- /dev/null +++ b/pkg/agent/keys.go @@ -0,0 +1,72 @@ +package agent + +import ( + "crypto" + "fmt" + + "github.com/go-kit/kit/log" + "go.etcd.io/bbolt" +) + +type keyInt interface { + crypto.Signer + Public() crypto.PublicKey + //Type() string // Not Yet Supported by Krypto +} + +var Keys keyInt + +func SetupKeys(logger log.Logger, db *bbolt.DB) error { + // FIXME: How do we detect failure is _hardware_ and fallback to local keys? + return setupHardwareKeys(logger, db) +} + +// This duplicates some of pkg/osquery/extension.go but that feels like the wrong place. +// Really, we should have a simpler interface over a storage layer. +const ( + bucketName = "config" + privateEccData = "privateEccData" + publicEccData = "publicEccData" +) + +func fetchKeyData(db *bbolt.DB) ([]byte, []byte, error) { + var pri []byte + var pub []byte + + if err := db.View(func(tx *bbolt.Tx) error { + b := tx.Bucket([]byte(bucketName)) + if b == nil { + return nil + } + + pri = b.Get([]byte(privateEccData)) + pub = b.Get([]byte(publicEccData)) + + return nil + }); err != nil { + return nil, nil, err + } + + return pri, pub, nil +} + +func storeKeyData(db *bbolt.DB, pri, pub []byte) error { + return db.Update(func(tx *bbolt.Tx) error { + b, err := tx.CreateBucketIfNotExists([]byte(bucketName)) + if err != nil { + return fmt.Errorf("creating bucket: %w", err) + } + + if err := b.Put([]byte(privateEccData), pri); err != nil { + return err + } + + if err := b.Put([]byte(publicEccData), pub); err != nil { + return err + } + + return nil + }) + + return nil +} diff --git a/pkg/agent/keys_darwin.go b/pkg/agent/keys_darwin.go new file mode 100644 index 000000000..f3e534cea --- /dev/null +++ b/pkg/agent/keys_darwin.go @@ -0,0 +1,63 @@ +//go:build darwin +// +build darwin + +package agent + +import ( + "crypto/ecdsa" + "crypto/elliptic" + "fmt" + + "github.com/go-kit/kit/log" + "github.com/go-kit/kit/log/level" + "github.com/kolide/krypto/pkg/secureenclave" + "go.etcd.io/bbolt" +) + +func setupHardwareKeys(logger log.Logger, db *bbolt.DB) error { + _, pubData, err := fetchKeyData(db) + if err != nil { + return err + } + + if pubData == nil { + level.Info(logger).Log("Generating new keys") + pub, err := secureenclave.CreateKey() + if err != nil { + return fmt.Errorf("creating key: %w", err) + } + + if err := storeKeyData(db, nil, ecdsaToRaw(pub)); err != nil { + return fmt.Errorf("storing key: %w", err) + } + + k, err := secureenclave.New(*pub) + if err != nil { + return fmt.Errorf("creating secureenclave signer:, from new key %w", err) + } + + Keys = k + return nil + } + + k, err := secureenclave.New(*rawToEcdsa(pubData)) + if err != nil { + return fmt.Errorf("creating secureenclave signer: %w", err) + } + + Keys = k + return nil +} + +// TODO: These raw functions should just move into secureenclave. There's some skew between Create and New + +func rawToEcdsa(raw []byte) *ecdsa.PublicKey { + ecKey := new(ecdsa.PublicKey) + ecKey.Curve = elliptic.P256() + ecKey.X, ecKey.Y = elliptic.Unmarshal(ecKey.Curve, raw) + return ecKey +} + +func ecdsaToRaw(key *ecdsa.PublicKey) []byte { + return elliptic.Marshal(elliptic.P256(), key.X, key.Y) +} diff --git a/pkg/agent/keys_tpm.go b/pkg/agent/keys_tpm.go new file mode 100644 index 000000000..4cebff623 --- /dev/null +++ b/pkg/agent/keys_tpm.go @@ -0,0 +1,41 @@ +//go:build !darwin +// +build !darwin + +package agent + +import ( + "fmt" + + "github.com/go-kit/kit/log" + "github.com/go-kit/kit/log/level" + "github.com/kolide/krypto/pkg/tpm" + "go.etcd.io/bbolt" +) + +func setupHardwareKeys(logger log.Logger, db *bbolt.DB) error { + priData, pubData, err := fetchKeyData(db) + if err != nil { + return err + } + + if pubData == nil || priData == nil { + level.Info(logger).Log("Generating new keys") + + priData, pubData, err := tpm.CreateKey() + if err != nil { + return fmt.Errorf("creating key: %w", err) + } + + if err := storeKeyData(db, priData, pubData); err != nil { + return fmt.Errorf("storing key: %w", err) + } + } + + k, err := tpm.New(priData, pubData) + if err != nil { + return fmt.Errorf("creating tpm signer:, from new key %w", err) + } + + Keys = k + return nil +} From cb2783efd6e423ff7915933898f75cd35a3789e2 Mon Sep 17 00:00:00 2001 From: seph Date: Mon, 23 Jan 2023 00:29:08 -0500 Subject: [PATCH 07/20] noop --- pkg/agent/keys.go | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/pkg/agent/keys.go b/pkg/agent/keys.go index 2fcb7a5e8..616a77a2d 100644 --- a/pkg/agent/keys.go +++ b/pkg/agent/keys.go @@ -2,7 +2,9 @@ package agent import ( "crypto" + "errors" "fmt" + "io" "github.com/go-kit/kit/log" "go.etcd.io/bbolt" @@ -14,7 +16,22 @@ type keyInt interface { //Type() string // Not Yet Supported by Krypto } -var Keys keyInt +type noopKeys struct { +} + +func (n noopKeys) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) (signature []byte, err error) { + return nil, errors.New("Can't sign. Unconfigured keys") +} + +func (n noopKeys) Public() crypto.PublicKey { + return nil +} + +func (n noopKeys) Type() string { + return "noop" +} + +var Keys keyInt = noopKeys{} func SetupKeys(logger log.Logger, db *bbolt.DB) error { // FIXME: How do we detect failure is _hardware_ and fallback to local keys? From 1aacfbc80a23669280354626c03ca8ce07f34afa Mon Sep 17 00:00:00 2001 From: seph Date: Mon, 23 Jan 2023 00:39:18 -0500 Subject: [PATCH 08/20] iterate --- pkg/osquery/extension.go | 73 +----------------------------- pkg/osquery/table/launcher_info.go | 13 +++--- 2 files changed, 8 insertions(+), 78 deletions(-) diff --git a/pkg/osquery/extension.go b/pkg/osquery/extension.go index f75fa055d..194fa1ce8 100644 --- a/pkg/osquery/extension.go +++ b/pkg/osquery/extension.go @@ -3,10 +3,6 @@ package osquery import ( "bytes" "context" - "crypto" - "crypto/ecdsa" - "crypto/elliptic" - "crypto/rand" "crypto/rsa" "crypto/x509" "encoding/binary" @@ -89,8 +85,7 @@ const ( // DB key for last retrieved config configKey = "config" // DB keys for the rsa keys - privateKeyKey = "privateKey" - privateEccKeyKey = "privateEccKey" + privateKeyKey = "privateKey" // Old things to delete xPublicKeyKey = "publicKey" @@ -260,11 +255,6 @@ func SetupLauncherKeys(db *bbolt.DB) error { return fmt.Errorf("ensuring rsa key: %w", err) } - // ECC keys. These are meant as launcher install keus - if err := ensureEccKey(bucket); err != nil { - return fmt.Errorf("ensuring ecc key: %w", err) - } - // Remove things we don't keep in the bucket any more for _, k := range []string{xPublicKeyKey, xKeyFingerprintKey} { if err := bucket.Delete([]byte(k)); err != nil { @@ -279,67 +269,6 @@ func SetupLauncherKeys(db *bbolt.DB) error { return err } -func ensureHardwareKey(bucket *bbolt.Bucket) error { - return nil -} - -func ensureEccKey(bucket *bbolt.Bucket) error { - // If it exists, we're good - if bucket.Get([]byte(privateEccKeyKey)) != nil { - return nil - } - - // This should, maybe, move this generate into krypto. Not sure - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) - if err != nil { - return fmt.Errorf("generating ecc key: %w", err) - } - - keyDer, err := x509.MarshalPKCS8PrivateKey(key) - if err != nil { - return fmt.Errorf("marshalling key: %w", err) - } - - if err := bucket.Put([]byte(privateEccKeyKey), keyDer); err != nil { - return fmt.Errorf("storing key: %w", err) - } - - return nil -} - -func PrivateECCKeyFromDB(db *bbolt.DB) (*ecdsa.PrivateKey, error) { - var privateKey []byte - - if err := db.View(func(tx *bbolt.Tx) error { - b := tx.Bucket([]byte(configBucket)) - privateKey = b.Get([]byte(privateEccKeyKey)) - return nil - }); err != nil { - return nil, fmt.Errorf("error reading private key info from db: %w", err) - } - - key, err := x509.ParsePKCS8PrivateKey(privateKey) - if err != nil { - return nil, fmt.Errorf("error parsing private key: %w", err) - } - - ecckey, ok := key.(*ecdsa.PrivateKey) - if !ok { - return nil, errors.New("Private key is not an rsa key") - } - - return ecckey, nil -} - -func PublicECCKeyFromDB(db *bbolt.DB) (crypto.PublicKey, error) { - privateKey, err := PrivateECCKeyFromDB(db) - if err != nil { - return nil, fmt.Errorf("reading private key: %w", err) - } - - return privateKey.Public(), nil -} - // ensureRsaKey will create an RSA key in the launcher DB if one does not already exist. This is the old key that krypto used. We are moving away from it. func ensureRsaKey(bucket *bbolt.Bucket) error { // If it exists, we're good diff --git a/pkg/osquery/table/launcher_info.go b/pkg/osquery/table/launcher_info.go index 615d649e0..ff7d9d011 100644 --- a/pkg/osquery/table/launcher_info.go +++ b/pkg/osquery/table/launcher_info.go @@ -6,6 +6,7 @@ import ( "runtime" "github.com/kolide/kit/version" + "github.com/kolide/launcher/pkg/agent" "github.com/kolide/launcher/pkg/osquery" "github.com/kolide/launcher/pkg/osquery/runtime/history" "github.com/osquery/osquery-go/plugin/table" @@ -25,10 +26,9 @@ func LauncherInfoTable(db *bbolt.DB) *table.Plugin { table.TextColumn("identifier"), table.TextColumn("osquery_instance_id"), - // Various identifying keys - table.TextColumn("launcher_public_key"), - table.TextColumn("hardware_public_key"), - table.TextColumn("combined_key"), + // New hardware keys + table.TextColumn("signing_key"), + table.TextColumn("signing_key_source"), // Old RSA Key table.TextColumn("fingerprint"), @@ -75,10 +75,11 @@ func generateLauncherInfoTable(db *bbolt.DB) table.GenerateFunc { } // No logger, so just ignore errors. generate the pem encoding if we can. - if eccKey, err := osquery.PublicECCKeyFromDB(db); err == nil { + if eccKey := agent.Keys.Public(); eccKey != nil { var pem bytes.Buffer if err := osquery.PublicKeyToPem(eccKey, &pem); err == nil { - results[0]["launcher_public_key"] = pem.String() + results[0]["signing_key"] = pem.String() + results[0]["signing_key_source"] = "TBD" } } From 619aaff0241e50ad0891e13085012191d4e1bcce Mon Sep 17 00:00:00 2001 From: seph Date: Mon, 23 Jan 2023 17:14:05 -0500 Subject: [PATCH 09/20] update for current krypto --- pkg/agent/keys.go | 19 +++++++++++++++++-- pkg/agent/keys_darwin.go | 21 ++++++++------------- pkg/agent/keys_tpm.go | 5 ++++- 3 files changed, 29 insertions(+), 16 deletions(-) diff --git a/pkg/agent/keys.go b/pkg/agent/keys.go index 616a77a2d..6567b684c 100644 --- a/pkg/agent/keys.go +++ b/pkg/agent/keys.go @@ -7,12 +7,12 @@ import ( "io" "github.com/go-kit/kit/log" + "github.com/go-kit/kit/log/level" "go.etcd.io/bbolt" ) type keyInt interface { crypto.Signer - Public() crypto.PublicKey //Type() string // Not Yet Supported by Krypto } @@ -84,6 +84,21 @@ func storeKeyData(db *bbolt.DB, pri, pub []byte) error { return nil }) +} - return nil +// clearKeyData is used to clear the keys as part of error handling around new keys. It is not intented to be called +// regularly, and since the path that calls it is around DB errors, it has no error handling. +func clearKeyData(logger log.Logger, db *bbolt.DB) { + level.Info(logger).Log("msg", "Clearing keys") + _ = db.Update(func(tx *bbolt.Tx) error { + b := tx.Bucket([]byte(bucketName)) + if b == nil { + return nil + } + + _ = b.Delete([]byte(privateEccData)) + _ = b.Delete([]byte(publicEccData)) + + return nil + }) } diff --git a/pkg/agent/keys_darwin.go b/pkg/agent/keys_darwin.go index f3e534cea..d12188caa 100644 --- a/pkg/agent/keys_darwin.go +++ b/pkg/agent/keys_darwin.go @@ -4,8 +4,6 @@ package agent import ( - "crypto/ecdsa" - "crypto/elliptic" "fmt" "github.com/go-kit/kit/log" @@ -22,25 +20,20 @@ func setupHardwareKeys(logger log.Logger, db *bbolt.DB) error { if pubData == nil { level.Info(logger).Log("Generating new keys") - pub, err := secureenclave.CreateKey() + + var err error + pubData, err = secureenclave.CreateKey() if err != nil { return fmt.Errorf("creating key: %w", err) } - if err := storeKeyData(db, nil, ecdsaToRaw(pub)); err != nil { + if err := storeKeyData(db, nil, pubData); err != nil { + clearKeyData(logger, db) return fmt.Errorf("storing key: %w", err) } - - k, err := secureenclave.New(*pub) - if err != nil { - return fmt.Errorf("creating secureenclave signer:, from new key %w", err) - } - - Keys = k - return nil } - k, err := secureenclave.New(*rawToEcdsa(pubData)) + k, err := secureenclave.New(pubData) if err != nil { return fmt.Errorf("creating secureenclave signer: %w", err) } @@ -49,6 +42,7 @@ func setupHardwareKeys(logger log.Logger, db *bbolt.DB) error { return nil } +/* // TODO: These raw functions should just move into secureenclave. There's some skew between Create and New func rawToEcdsa(raw []byte) *ecdsa.PublicKey { @@ -61,3 +55,4 @@ func rawToEcdsa(raw []byte) *ecdsa.PublicKey { func ecdsaToRaw(key *ecdsa.PublicKey) []byte { return elliptic.Marshal(elliptic.P256(), key.X, key.Y) } +*/ diff --git a/pkg/agent/keys_tpm.go b/pkg/agent/keys_tpm.go index 4cebff623..40b25b95e 100644 --- a/pkg/agent/keys_tpm.go +++ b/pkg/agent/keys_tpm.go @@ -21,12 +21,15 @@ func setupHardwareKeys(logger log.Logger, db *bbolt.DB) error { if pubData == nil || priData == nil { level.Info(logger).Log("Generating new keys") - priData, pubData, err := tpm.CreateKey() + var err error + priData, pubData, err = tpm.CreateKey() if err != nil { + clearKeyData(logger, db) return fmt.Errorf("creating key: %w", err) } if err := storeKeyData(db, priData, pubData); err != nil { + clearKeyData(logger, db) return fmt.Errorf("storing key: %w", err) } } From b6318ff57d12650cf76c822934409da385c50907 Mon Sep 17 00:00:00 2001 From: seph Date: Mon, 23 Jan 2023 17:15:36 -0500 Subject: [PATCH 10/20] go.mod --- go.mod | 7 +++--- go.sum | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 69 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 6283127f7..410698b48 100644 --- a/go.mod +++ b/go.mod @@ -18,8 +18,8 @@ require ( github.com/groob/plist v0.0.0-20190114192801-a99fbe489d03 github.com/kardianos/osext v0.0.0-20170510131534-ae77be60afb1 github.com/knightsc/system_policy v1.1.1-0.20211029142728-5f4c0d5419cc - github.com/kolide/kit v0.0.0-20220920212810-17eca5d2e6d2 - github.com/kolide/krypto v0.0.0-20220830180245-7cb3a3940071 + github.com/kolide/kit v0.0.0-20221107170827-fb85e3d59eab + github.com/kolide/krypto v0.0.0-20230123214238-2219d22c9a17 github.com/kolide/updater v0.0.0-20190315001611-15bbc19b5b80 github.com/kr/pty v1.1.2 github.com/mat/besticon v3.9.0+incompatible @@ -40,7 +40,7 @@ require ( github.com/yusufpapurcu/wmi v1.2.2 // indirect go.etcd.io/bbolt v1.3.6 go.opencensus.io v0.23.0 - golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 + golang.org/x/crypto v0.4.0 golang.org/x/exp v0.0.0-20221126150942-6ab00d035af9 golang.org/x/image v0.3.0 golang.org/x/net v0.4.0 @@ -74,6 +74,7 @@ require ( github.com/go-logfmt/logfmt v0.4.0 // indirect github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect github.com/google/certificate-transparency-go v1.0.21 // indirect + github.com/google/go-tpm v0.3.3 // indirect github.com/gopherjs/gopherjs v1.17.2 // indirect github.com/gorilla/context v1.1.1 // indirect github.com/gorilla/mux v1.6.2 // indirect diff --git a/go.sum b/go.sum index c2301adee..ddf1d4ee4 100644 --- a/go.sum +++ b/go.sum @@ -63,6 +63,7 @@ github.com/apache/thrift v0.13.1-0.20200603211036-eac4d0c79a5f/go.mod h1:cp2SuWM github.com/apache/thrift v0.16.0 h1:qEy6UW60iVOlUy+b9ZR0d5WzUWYGOo4HfopoyBaNmoY= github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= @@ -89,11 +90,20 @@ github.com/cloudflare/cfssl v0.0.0-20181102015659-ea4033a214e7/go.mod h1:yMWuSON github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= +github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/docker/distribution v2.8.0+incompatible h1:l9EaZDICImO1ngI+uTifW+ZYvvz7fKISBAKpg+MbWbY= github.com/docker/distribution v2.8.0+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= @@ -141,8 +151,10 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY= @@ -191,6 +203,12 @@ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg= +github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI= +github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw= +github.com/google/go-tpm v0.3.3 h1:P/ZFNBZYXRxc+z7i5uyd8VP7MaDteuLZInzrH2idRGo= +github.com/google/go-tpm v0.3.3/go.mod h1:9Hyn3rgnzWF9XBWVk6ml6A6hNkbWjNFlDQL51BeghL4= +github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfHadzbdzHo54inR2x1v640jdi1YSi3NauM2DUsxk0= +github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= @@ -219,10 +237,14 @@ github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= github.com/gorilla/mux v1.6.2 h1:Pgr17XVTNXAk3q/r4CpKzC5xBM/qW1uVLV+IhRZpIIk= github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/groob/plist v0.0.0-20190114192801-a99fbe489d03 h1:z4Na/Ihs7LelUWfkSkr3sixCMwF3Ln1a/3K4eXynhBg= github.com/groob/plist v0.0.0-20190114192801-a99fbe489d03/go.mod h1:qg2Nek0ND/hIr+nY8H1oVqEW2cLzVVNaAQ0QexOyjyc= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8= github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4= @@ -251,12 +273,14 @@ github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/jinzhu/gorm v1.9.1 h1:lDSDtsCt5AGGSKTs8AHlSDbbgif4G4+CKJ8ETBDVHTA= github.com/jinzhu/gorm v1.9.1/go.mod h1:Vla75njaFJ8clLU1W44h34PjIkijhjHIYnZxMqCdxqo= github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a h1:eeaG9XMUvRBYXJi4pg1ZKM7nxc5AfXfojeLLW7O5J3k= github.com/jinzhu/inflection v0.0.0-20180308033659-04140366298a/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc= github.com/jmoiron/sqlx v0.0.0-20180406164412-2aeb6a910c2b/go.mod h1:IiEW3SEiiErVyFdH8NTuWjSifiEQKUoyK3LNqr2kCHU= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= @@ -265,14 +289,15 @@ github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfV github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/kardianos/osext v0.0.0-20170510131534-ae77be60afb1 h1:PJPDf8OUfOK1bb/NeTKd4f1QXZItOX389VN3B6qC8ro= github.com/kardianos/osext v0.0.0-20170510131534-ae77be60afb1/go.mod h1:1NbS8ALrpOvjt0rHPNLyCIeMtbizbir8U//inJ+zuB8= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/knightsc/system_policy v1.1.1-0.20211029142728-5f4c0d5419cc h1:g2S0GQD5Q2jXmPdTJS8L8JfA1GquHnFeK3PDcl26E/k= github.com/knightsc/system_policy v1.1.1-0.20211029142728-5f4c0d5419cc/go.mod h1:5e34JEkxWsOeAd9jvcxkz01tAY/JAGFuabGnNBJ6TT4= -github.com/kolide/kit v0.0.0-20220920212810-17eca5d2e6d2 h1:wp1mWNZ2tb2Nq9uCa7g19PrYVHzBUb3RxU1aZCVuQGY= -github.com/kolide/kit v0.0.0-20220920212810-17eca5d2e6d2/go.mod h1:OYYulo9tUqRadRLwB0+LE914sa1ui2yL7OrcU3Q/1XY= -github.com/kolide/krypto v0.0.0-20220830180245-7cb3a3940071 h1:CMQwFVCVQR3ziaje/2TaW62CsTQrGybilNTkOWBadwA= -github.com/kolide/krypto v0.0.0-20220830180245-7cb3a3940071/go.mod h1:Xdw3V8Z6rsebg2tliGb1xU46QDOxhcwS2dz49qFtIwc= +github.com/kolide/kit v0.0.0-20221107170827-fb85e3d59eab h1:KVR7cs+oPyy85i+8t1ZaNSy1bymCy5FuWyt51pdrXu4= +github.com/kolide/kit v0.0.0-20221107170827-fb85e3d59eab/go.mod h1:OYYulo9tUqRadRLwB0+LE914sa1ui2yL7OrcU3Q/1XY= +github.com/kolide/krypto v0.0.0-20230123214238-2219d22c9a17 h1:yo3/AIS1ZQRcSnkiebs/hFcH0KQqzftShMCxx6gg3gQ= +github.com/kolide/krypto v0.0.0-20230123214238-2219d22c9a17/go.mod h1:PvKvoNvMWfyPXZN9/yXNrGtAasI2b+sc8RpwkCJGzzc= github.com/kolide/updater v0.0.0-20190315001611-15bbc19b5b80 h1:XFzdAHvTlbQoHZdEgOEiFt93eyfXP6VZCwH5p+lPpBg= github.com/kolide/updater v0.0.0-20190315001611-15bbc19b5b80/go.mod h1:x3dEGYbZovhD1t8OwEgdyu/4ZCvrn9QvkbPtOZnul8k= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -286,6 +311,7 @@ github.com/kr/pty v1.1.2/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls= github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= github.com/mat/besticon v3.9.0+incompatible h1:SLaWKCE7ptsjWbQee8Sbx8F/WK4bw8b55tUV4mY0m/c= @@ -301,6 +327,7 @@ github.com/miekg/pkcs11 v0.0.0-20180208123018-5f6e0d0dad6f h1:8MAK/u+dE11/n8VIHQ github.com/miekg/pkcs11 v0.0.0-20180208123018-5f6e0d0dad6f/go.mod h1:WCBAbTOdfhHhz7YXujeZMF7owC4tPb1naKFsgfUISjo= github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= @@ -339,6 +366,7 @@ github.com/osquery/osquery-go v0.0.0-20210622151333-99b4efa62ec5/go.mod h1:JKR5Q github.com/osquery/osquery-go v0.0.0-20220706183148-4e1f83012b42 h1:Epwxipb+y/e8ss/SJ7947F8J6dwjv3RHRCz2g0OkCII= github.com/osquery/osquery-go v0.0.0-20220706183148-4e1f83012b42/go.mod h1:0KzmMhe0PL19cdYq6nd1cT9/5bMMJBTssAfuEgM2i34= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys= github.com/pelletier/go-toml v1.9.3 h1:zeC5b1GviRUyKYd6OJPvBU/mcVDVoL1OhT17FCt5dSQ= github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c= @@ -366,8 +394,11 @@ github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084 h1:sofwID9zm4tzrgykg80hfFph1mryUeLRsUfoocVVmRY= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= github.com/scjalliance/comshim v0.0.0-20190308082608-cf06d2532c4e h1:+/AzLkOdIXEPrAQtwAeWOBnPQ0BnYlBW0aCZmSb47u4= github.com/scjalliance/comshim v0.0.0-20190308082608-cf06d2532c4e/go.mod h1:9Tc1SKnfACJb9N7cw2eyuI6xzy845G7uZONBsi5uPEA= @@ -376,6 +407,7 @@ github.com/serenize/snaker v0.0.0-20171204205717-a683aaf2d516 h1:ofR1ZdrNSkiWcMs github.com/serenize/snaker v0.0.0-20171204205717-a683aaf2d516/go.mod h1:Yow6lPLSAXx2ifx470yD/nUe22Dv5vBvxK/UK9UUTVs= github.com/shirou/gopsutil v3.21.11+incompatible h1:+1+c1VGhc88SSonWP6foOcLhvnKlUeu/erjjvaPEYiI= github.com/shirou/gopsutil v3.21.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= @@ -383,15 +415,24 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykE github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= github.com/spf13/afero v1.6.0 h1:xoax2sJ2DT8S8xA2paPFjDCScCNeWsg75VG0DLRreiY= github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/spf13/viper v1.8.1 h1:Kq1fyeebqsBfbjZj4EL7gj2IO0mMaiyjYUWcUsl2O44= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -421,12 +462,17 @@ github.com/tklauser/go-sysconf v0.3.10 h1:IJ1AZGZRWbY8T5Vfk04D9WOA5WSejdflXxP03O github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk= github.com/tklauser/numcpus v0.4.0 h1:E53Dm1HjH1/R2/aoCtXtPgzmElmn51aOkhCFSuZq//o= github.com/tklauser/numcpus v0.4.0/go.mod h1:1+UI3pD8NW14VMwdgJNJ1ESk2UnwhAnz5hMwiKKqXCQ= +github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU= github.com/vmihailenco/msgpack/v5 v5.3.5/go.mod h1:7xyJ9e+0+9SaZT0Wt1RGleJXzli6Q/V5KbhBonMG9jc= github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g= github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds= github.com/wadey/gocovmerge v0.0.0-20160331181800-b5bfa59ec0ad/go.mod h1:Hy8o65+MXnS6EwGElrSRjUzQDLXreJlzYLlWiHtt8hM= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -435,6 +481,7 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yusufpapurcu/wmi v1.2.2 h1:KBNDSne4vP5mbSWnJbO+51IMOXJB67QiYCSBrubbPRg= github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU= go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= @@ -449,11 +496,15 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= +go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= @@ -461,8 +512,9 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= -golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 h1:7I4JAnoQBe7ZtJcBaYHi5UtiO8tQHbUSXxL+pnGRANg= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.4.0 h1:UVQgzMY87xqpKNgb+kDsll2Igd33HszWHFLmpaRMq/8= +golang.org/x/crypto v0.4.0/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -509,12 +561,14 @@ golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73r golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -577,6 +631,7 @@ golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -621,6 +676,7 @@ golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -646,6 +702,7 @@ golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -778,6 +835,7 @@ google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c h1:wtujag7C+4D6KMo google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= @@ -828,10 +886,12 @@ gopkg.in/ini.v1 v1.62.0 h1:duBzk771uxoUuOlyRLkHsygud9+5lrlGjdFBb4mSKDU= gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8= gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= gopkg.in/toast.v1 v1.0.0-20180812000517-0a84660828b2 h1:MZF6J7CV6s/h0HBkfqebrYfKCVEo5iN+wzE4QhV3Evo= gopkg.in/toast.v1 v1.0.0-20180812000517-0a84660828b2/go.mod h1:s1Sn2yZos05Qfs7NKt867Xe18emOmtsO3eAKbDaon0o= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= From e3ba1be16e87d79c79eb7302465216a2e5b9839e Mon Sep 17 00:00:00 2001 From: seph Date: Mon, 23 Jan 2023 20:52:52 -0500 Subject: [PATCH 11/20] local keys --- pkg/agent/keys.go | 37 ++++++++-------- pkg/agent/keys/local.go | 93 ++++++++++++++++++++++++++++++++++++++++ pkg/agent/keys/noop.go | 25 +++++++++++ pkg/agent/keys_darwin.go | 28 +++--------- pkg/agent/keys_tpm.go | 13 +++--- 5 files changed, 149 insertions(+), 47 deletions(-) create mode 100644 pkg/agent/keys/local.go create mode 100644 pkg/agent/keys/noop.go diff --git a/pkg/agent/keys.go b/pkg/agent/keys.go index 6567b684c..75b446d2c 100644 --- a/pkg/agent/keys.go +++ b/pkg/agent/keys.go @@ -2,12 +2,11 @@ package agent import ( "crypto" - "errors" "fmt" - "io" "github.com/go-kit/kit/log" "github.com/go-kit/kit/log/level" + "github.com/kolide/launcher/pkg/agent/keys" "go.etcd.io/bbolt" ) @@ -16,26 +15,28 @@ type keyInt interface { //Type() string // Not Yet Supported by Krypto } -type noopKeys struct { -} - -func (n noopKeys) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) (signature []byte, err error) { - return nil, errors.New("Can't sign. Unconfigured keys") -} +var Keys keyInt = keys.Noop +var LocalDbKeys keyInt = keys.Noop -func (n noopKeys) Public() crypto.PublicKey { - return nil -} +func SetupKeys(logger log.Logger, db *bbolt.DB) error { + var err error -func (n noopKeys) Type() string { - return "noop" -} + // Always setup a local key + LocalDbKeys, err = keys.SetupLocalDbKey(logger, db) + if err != nil { + return fmt.Errorf("setting up local db keys: %w", err) + } -var Keys keyInt = noopKeys{} + Keys, err = setupHardwareKeys(logger, db) + if err != nil { + // Now this is a conundrum. What should we do if there's a hardware keying error? + // We could return the error, and abort, but that would block launcher for working in places + // without keys. Inatead, we log the error and set Keys to the localDb key. + level.Info(logger).Log("msg", "setting up hardware keys", "err", err) + Keys = LocalDbKeys + } -func SetupKeys(logger log.Logger, db *bbolt.DB) error { - // FIXME: How do we detect failure is _hardware_ and fallback to local keys? - return setupHardwareKeys(logger, db) + return nil } // This duplicates some of pkg/osquery/extension.go but that feels like the wrong place. diff --git a/pkg/agent/keys/local.go b/pkg/agent/keys/local.go new file mode 100644 index 000000000..a274ce2ca --- /dev/null +++ b/pkg/agent/keys/local.go @@ -0,0 +1,93 @@ +package keys + +import ( + "crypto/ecdsa" + "crypto/x509" + "fmt" + + "github.com/go-kit/kit/log" + "github.com/go-kit/kit/log/level" + "github.com/kolide/krypto/pkg/echelper" + "go.etcd.io/bbolt" +) + +// This duplicates some of pkg/osquery/extension.go but that feels like the wrong place. +// Really, we should have a simpler interface over a storage layer. +const ( + bucketName = "config" + localKey = "localEccKey" +) + +// dbKey is keyInt over a key stored in the agent database. Its used in places where we don't want, or don't have, the hardware key. +type dbKey struct { + *ecdsa.PrivateKey +} + +func (k dbKey) Type() string { + return "local" +} + +func SetupLocalDbKey(logger log.Logger, db *bbolt.DB) (*dbKey, error) { + if key, err := fetchKey(db); key != nil && err != nil { + return &dbKey{key}, nil + } else if err != nil { + level.Info(logger).Log("msg", "Failed to parse key, regenerating", "err", err) + } else if key == nil { + level.Info(logger).Log("msg", "No key found, generating new key") + } + + // Time to regenerate! + key, err := echelper.GenerateEcdsaKey() + if err != nil { + return nil, fmt.Errorf("generating new key: %w", err) + } + + // Store the key in the database. + if err := storeKey(db, key); err != nil { + return nil, fmt.Errorf("storing new key: %w", err) + } + + return &dbKey{key}, nil +} + +func fetchKey(db *bbolt.DB) (*ecdsa.PrivateKey, error) { + var raw []byte + + // There's nothing that can really return an error here. Either we have a key, or we don't. + _ = db.View(func(tx *bbolt.Tx) error { + b := tx.Bucket([]byte(bucketName)) + if b == nil { + return nil + } + + raw = b.Get([]byte(localKey)) + return nil + }) + + // No key, just return nils + if raw == nil { + return nil, nil + } + + return x509.ParseECPrivateKey(raw) +} + +func storeKey(db *bbolt.DB, key *ecdsa.PrivateKey) error { + raw, err := x509.MarshalPKIXPublicKey(key) + if err != nil { + return fmt.Errorf("marshaling key: %w", err) + } + + return db.Update(func(tx *bbolt.Tx) error { + b, err := tx.CreateBucketIfNotExists([]byte(bucketName)) + if err != nil { + return fmt.Errorf("creating bucket: %w", err) + } + + if err := b.Put([]byte(localKey), raw); err != nil { + return err + } + + return nil + }) +} diff --git a/pkg/agent/keys/noop.go b/pkg/agent/keys/noop.go new file mode 100644 index 000000000..98ec7f541 --- /dev/null +++ b/pkg/agent/keys/noop.go @@ -0,0 +1,25 @@ +package keys + +import ( + "crypto" + "errors" + "io" +) + +// noopKeys is a no-op implementation of keyInt. It's here to be a default +type noopKeys struct { +} + +func (n noopKeys) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) (signature []byte, err error) { + return nil, errors.New("Can't sign. Unconfigured keys") +} + +func (n noopKeys) Public() crypto.PublicKey { + return nil +} + +func (n noopKeys) Type() string { + return "noop" +} + +var Noop = noopKeys{} diff --git a/pkg/agent/keys_darwin.go b/pkg/agent/keys_darwin.go index d12188caa..c684b57d1 100644 --- a/pkg/agent/keys_darwin.go +++ b/pkg/agent/keys_darwin.go @@ -12,10 +12,10 @@ import ( "go.etcd.io/bbolt" ) -func setupHardwareKeys(logger log.Logger, db *bbolt.DB) error { +func setupHardwareKeys(logger log.Logger, db *bbolt.DB) (keyInt, error) { _, pubData, err := fetchKeyData(db) if err != nil { - return err + return nil, err } if pubData == nil { @@ -24,35 +24,19 @@ func setupHardwareKeys(logger log.Logger, db *bbolt.DB) error { var err error pubData, err = secureenclave.CreateKey() if err != nil { - return fmt.Errorf("creating key: %w", err) + return nil, fmt.Errorf("creating key: %w", err) } if err := storeKeyData(db, nil, pubData); err != nil { clearKeyData(logger, db) - return fmt.Errorf("storing key: %w", err) + return nil, fmt.Errorf("storing key: %w", err) } } k, err := secureenclave.New(pubData) if err != nil { - return fmt.Errorf("creating secureenclave signer: %w", err) + return nil, fmt.Errorf("creating secureenclave signer: %w", err) } - Keys = k - return nil + return k, nil } - -/* -// TODO: These raw functions should just move into secureenclave. There's some skew between Create and New - -func rawToEcdsa(raw []byte) *ecdsa.PublicKey { - ecKey := new(ecdsa.PublicKey) - ecKey.Curve = elliptic.P256() - ecKey.X, ecKey.Y = elliptic.Unmarshal(ecKey.Curve, raw) - return ecKey -} - -func ecdsaToRaw(key *ecdsa.PublicKey) []byte { - return elliptic.Marshal(elliptic.P256(), key.X, key.Y) -} -*/ diff --git a/pkg/agent/keys_tpm.go b/pkg/agent/keys_tpm.go index 40b25b95e..3bacf6556 100644 --- a/pkg/agent/keys_tpm.go +++ b/pkg/agent/keys_tpm.go @@ -12,10 +12,10 @@ import ( "go.etcd.io/bbolt" ) -func setupHardwareKeys(logger log.Logger, db *bbolt.DB) error { +func setupHardwareKeys(logger log.Logger, db *bbolt.DB) (keyInt, error) { priData, pubData, err := fetchKeyData(db) if err != nil { - return err + return nil, err } if pubData == nil || priData == nil { @@ -25,20 +25,19 @@ func setupHardwareKeys(logger log.Logger, db *bbolt.DB) error { priData, pubData, err = tpm.CreateKey() if err != nil { clearKeyData(logger, db) - return fmt.Errorf("creating key: %w", err) + return nil, fmt.Errorf("creating key: %w", err) } if err := storeKeyData(db, priData, pubData); err != nil { clearKeyData(logger, db) - return fmt.Errorf("storing key: %w", err) + return nil, fmt.Errorf("storing key: %w", err) } } k, err := tpm.New(priData, pubData) if err != nil { - return fmt.Errorf("creating tpm signer:, from new key %w", err) + return nil, fmt.Errorf("creating tpm signer:, from new key %w", err) } - Keys = k - return nil + return k, nil } From c0c6afb36b87bd3e33ae81473b8c9ec7de330f18 Mon Sep 17 00:00:00 2001 From: seph Date: Mon, 23 Jan 2023 20:58:00 -0500 Subject: [PATCH 12/20] plumbing --- pkg/osquery/extension.go | 6 +++++- pkg/osquery/table/launcher_info.go | 10 +++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/pkg/osquery/extension.go b/pkg/osquery/extension.go index 194fa1ce8..7390322e0 100644 --- a/pkg/osquery/extension.go +++ b/pkg/osquery/extension.go @@ -19,6 +19,7 @@ import ( "github.com/go-kit/kit/log/level" "github.com/google/uuid" "github.com/kolide/kit/version" + "github.com/kolide/launcher/pkg/agent" "github.com/kolide/launcher/pkg/backoff" "github.com/kolide/launcher/pkg/service" "github.com/mixer/clock" @@ -181,6 +182,10 @@ func NewExtension(client service.KolideService, db *bbolt.DB, opts ExtensionOpts return nil, fmt.Errorf("setting up initial launcher keys: %w", err) } + if err := agent.SetupKeys(opts.Logger, db); err != nil { + return nil, fmt.Errorf("setting up agent keys: %w", err) + } + identifier, err := IdentifierFromDB(db) if err != nil { return nil, fmt.Errorf("get host identifier from db when creating new extension: %w", err) @@ -263,7 +268,6 @@ func SetupLauncherKeys(db *bbolt.DB) error { } return nil - }) return err diff --git a/pkg/osquery/table/launcher_info.go b/pkg/osquery/table/launcher_info.go index ff7d9d011..ec3d8b899 100644 --- a/pkg/osquery/table/launcher_info.go +++ b/pkg/osquery/table/launcher_info.go @@ -26,9 +26,10 @@ func LauncherInfoTable(db *bbolt.DB) *table.Plugin { table.TextColumn("identifier"), table.TextColumn("osquery_instance_id"), - // New hardware keys + // New hardware and local keys table.TextColumn("signing_key"), table.TextColumn("signing_key_source"), + table.TextColumn("local_key"), // Old RSA Key table.TextColumn("fingerprint"), @@ -83,6 +84,13 @@ func generateLauncherInfoTable(db *bbolt.DB) table.GenerateFunc { } } + if localKey := agent.LocalDbKeys.Public(); localKey != nil { + var pem bytes.Buffer + if err := osquery.PublicKeyToPem(localKey, &pem); err == nil { + results[0]["local_key"] = pem.String() + } + } + return results, nil } } From c6e0ec83d620082a3800f5e9734e27777db65b32 Mon Sep 17 00:00:00 2001 From: seph Date: Mon, 23 Jan 2023 21:00:52 -0500 Subject: [PATCH 13/20] lint --- pkg/agent/keys.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/agent/keys.go b/pkg/agent/keys.go index 75b446d2c..d216f7289 100644 --- a/pkg/agent/keys.go +++ b/pkg/agent/keys.go @@ -87,7 +87,7 @@ func storeKeyData(db *bbolt.DB, pri, pub []byte) error { }) } -// clearKeyData is used to clear the keys as part of error handling around new keys. It is not intented to be called +// clearKeyData is used to clear the keys as part of error handling around new keys. It is not intended to be called // regularly, and since the path that calls it is around DB errors, it has no error handling. func clearKeyData(logger log.Logger, db *bbolt.DB) { level.Info(logger).Log("msg", "Clearing keys") From c77f475a04082a69207a8bd302a57670da29c9ce Mon Sep 17 00:00:00 2001 From: seph Date: Mon, 23 Jan 2023 21:33:16 -0500 Subject: [PATCH 14/20] fix marshalling --- pkg/agent/keys/local.go | 5 ++-- pkg/agent/keys/local_test.go | 45 ++++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 pkg/agent/keys/local_test.go diff --git a/pkg/agent/keys/local.go b/pkg/agent/keys/local.go index a274ce2ca..e7b557d34 100644 --- a/pkg/agent/keys/local.go +++ b/pkg/agent/keys/local.go @@ -28,7 +28,8 @@ func (k dbKey) Type() string { } func SetupLocalDbKey(logger log.Logger, db *bbolt.DB) (*dbKey, error) { - if key, err := fetchKey(db); key != nil && err != nil { + if key, err := fetchKey(db); key != nil && err == nil { + level.Info(logger).Log("msg", "found local key in database") return &dbKey{key}, nil } else if err != nil { level.Info(logger).Log("msg", "Failed to parse key, regenerating", "err", err) @@ -73,7 +74,7 @@ func fetchKey(db *bbolt.DB) (*ecdsa.PrivateKey, error) { } func storeKey(db *bbolt.DB, key *ecdsa.PrivateKey) error { - raw, err := x509.MarshalPKIXPublicKey(key) + raw, err := x509.MarshalECPrivateKey(key) if err != nil { return fmt.Errorf("marshaling key: %w", err) } diff --git a/pkg/agent/keys/local_test.go b/pkg/agent/keys/local_test.go new file mode 100644 index 000000000..3ad3f18f4 --- /dev/null +++ b/pkg/agent/keys/local_test.go @@ -0,0 +1,45 @@ +package keys + +import ( + "os" + "path/filepath" + "testing" + + "github.com/go-kit/kit/log" + "github.com/stretchr/testify/require" + "go.etcd.io/bbolt" +) + +func TestSetupLocalDbKey(t *testing.T) { + t.Parallel() + + db := setupDb(t) + logger := log.NewJSONLogger(os.Stderr) //log.NewNopLogger() + + key, err := SetupLocalDbKey(logger, db) + require.NoError(t, err) + require.NotNil(t, key) + + // Call a thing. Make sure this is a real key + require.NotNil(t, key.Public()) + + // If we call this _again_ do we get the same key back? + key2, err := SetupLocalDbKey(logger, db) + require.NoError(t, err) + require.Equal(t, key.Public(), key2.Public()) + +} + +func setupDb(t *testing.T) *bbolt.DB { + // Create a temp directory to hold our bbolt db + dbDir := t.TempDir() + + // Create database; ensure we clean it up after the test + db, err := bbolt.Open(filepath.Join(dbDir, "test.db"), 0600, nil) + require.NoError(t, err) + t.Cleanup(func() { + require.NoError(t, db.Close()) + }) + + return db +} From 6d2d44b9b00f790f092e62c22d8c4614b85cf5ba Mon Sep 17 00:00:00 2001 From: seph Date: Mon, 23 Jan 2023 22:18:43 -0500 Subject: [PATCH 15/20] no more parallel --- pkg/osquery/extension_test.go | 41 +++++------------------------------ 1 file changed, 6 insertions(+), 35 deletions(-) diff --git a/pkg/osquery/extension_test.go b/pkg/osquery/extension_test.go index 10bd7542f..0a8fbfbbd 100644 --- a/pkg/osquery/extension_test.go +++ b/pkg/osquery/extension_test.go @@ -1,3 +1,7 @@ +// Running this in parallel on the GH workers generates a lot of false positive noise. It all smells like things +// deep inside boltdb. Since we usually rerun tests until they pass, let's just disable paralleltest and linting. +// +//nolint:paralleltest package osquery import ( @@ -40,7 +44,6 @@ func makeTempDB(t *testing.T) (db *bbolt.DB, cleanup func()) { } func TestNewExtensionEmptyEnrollSecret(t *testing.T) { - t.Parallel() e, err := NewExtension(&mock.KolideService{}, nil, ExtensionOpts{}) assert.NotNil(t, err) @@ -48,7 +51,6 @@ func TestNewExtensionEmptyEnrollSecret(t *testing.T) { } func TestNewExtensionDatabaseError(t *testing.T) { - t.Parallel() file, err := os.CreateTemp("", "kolide_launcher_test") if err != nil { @@ -75,7 +77,6 @@ func TestNewExtensionDatabaseError(t *testing.T) { } func TestGetHostIdentifier(t *testing.T) { - t.Parallel() db, cleanup := makeTempDB(t) defer cleanup() @@ -103,7 +104,6 @@ func TestGetHostIdentifier(t *testing.T) { } func TestGetHostIdentifierCorruptedData(t *testing.T) { - t.Parallel() // Put bad data in the DB and ensure we can still generate a fresh UUID db, cleanup := makeTempDB(t) @@ -129,7 +129,6 @@ func TestGetHostIdentifierCorruptedData(t *testing.T) { } func TestExtensionEnrollTransportError(t *testing.T) { - t.Parallel() m := &mock.KolideService{ RequestEnrollmentFunc: func(ctx context.Context, enrollSecret, hostIdentifier string, details service.EnrollmentDetails) (string, bool, error) { @@ -167,7 +166,6 @@ func (mockClient) Query(sql string) ([]map[string]string, error) { } func TestExtensionEnrollSecretInvalid(t *testing.T) { - t.Parallel() m := &mock.KolideService{ RequestEnrollmentFunc: func(ctx context.Context, enrollSecret, hostIdentifier string, details service.EnrollmentDetails) (string, bool, error) { @@ -188,7 +186,6 @@ func TestExtensionEnrollSecretInvalid(t *testing.T) { } func TestExtensionEnroll(t *testing.T) { - t.Parallel() var gotEnrollSecret string expectedNodeKey := "node_key" @@ -246,7 +243,6 @@ func TestExtensionEnroll(t *testing.T) { } func TestExtensionGenerateConfigsTransportError(t *testing.T) { - t.Parallel() m := &mock.KolideService{ RequestConfigFunc: func(ctx context.Context, nodeKey string) (string, bool, error) { @@ -266,7 +262,6 @@ func TestExtensionGenerateConfigsTransportError(t *testing.T) { } func TestExtensionGenerateConfigsCaching(t *testing.T) { - t.Parallel() configVal := `{"foo": "bar"}` m := &mock.KolideService{ @@ -298,7 +293,6 @@ func TestExtensionGenerateConfigsCaching(t *testing.T) { } func TestExtensionGenerateConfigsEnrollmentInvalid(t *testing.T) { - t.Parallel() expectedNodeKey := "good_node_key" var gotNodeKey string @@ -327,7 +321,6 @@ func TestExtensionGenerateConfigsEnrollmentInvalid(t *testing.T) { } func TestExtensionGenerateConfigs(t *testing.T) { - t.Parallel() configVal := `{"foo": "bar"}` m := &mock.KolideService{ @@ -347,7 +340,6 @@ func TestExtensionGenerateConfigs(t *testing.T) { } func TestExtensionWriteLogsTransportError(t *testing.T) { - t.Parallel() m := &mock.KolideService{ PublishLogsFunc: func(ctx context.Context, nodeKey string, logType logger.LogType, logs []string) (string, string, bool, error) { @@ -365,7 +357,6 @@ func TestExtensionWriteLogsTransportError(t *testing.T) { } func TestExtensionWriteLogsEnrollmentInvalid(t *testing.T) { - t.Parallel() expectedNodeKey := "good_node_key" var gotNodeKey string @@ -393,7 +384,6 @@ func TestExtensionWriteLogsEnrollmentInvalid(t *testing.T) { } func TestExtensionWriteLogs(t *testing.T) { - t.Parallel() var gotNodeKey string var gotLogType logger.LogType @@ -423,7 +413,6 @@ func TestExtensionWriteLogs(t *testing.T) { } func TestKeyConversion(t *testing.T) { - t.Parallel() expectedUintKeyVals := []uint64{1, 2, 64, 128, 200, 1000, 2000, 500003, 10000003, 200003005} byteKeys := make([][]byte, 0, len(expectedUintKeyVals)) @@ -444,7 +433,6 @@ func TestKeyConversion(t *testing.T) { } func TestRandomKeyConversion(t *testing.T) { - t.Parallel() // Check that roundtrips for random values result in the same key f := func(k uint64) bool { @@ -456,7 +444,6 @@ func TestRandomKeyConversion(t *testing.T) { } func TestByteKeyFromUint64(t *testing.T) { - t.Parallel() // Assert correct sorted order of keys generated by key function keyVals := []uint64{1, 2, 64, 128, 200, 1000, 2000, 50000, 1000000, 2000000} @@ -470,7 +457,6 @@ func TestByteKeyFromUint64(t *testing.T) { } func TestExtensionWriteBufferedLogsEmpty(t *testing.T) { - t.Parallel() m := &mock.KolideService{ PublishLogsFunc: func(ctx context.Context, nodeKey string, logType logger.LogType, logs []string) (string, string, bool, error) { @@ -491,7 +477,6 @@ func TestExtensionWriteBufferedLogsEmpty(t *testing.T) { } func TestExtensionWriteBufferedLogs(t *testing.T) { - t.Parallel() var gotStatusLogs, gotResultLogs []string m := &mock.KolideService{ @@ -549,9 +534,7 @@ func TestExtensionWriteBufferedLogs(t *testing.T) { assert.Nil(t, gotResultLogs) } -func TestExtensionWriteBufferedLogsEnrollmentInvalid(t *testing.T) { //nolint:paralleltest - // t.Parallel() commented out due to timeouts in github actions runner - +func TestExtensionWriteBufferedLogsEnrollmentInvalid(t *testing.T) { // Test for https://github.com/kolide/launcher/issues/219 in which a // call to writeBufferedLogsForType with an invalid node key causes a // deadlock. @@ -586,7 +569,6 @@ func TestExtensionWriteBufferedLogsEnrollmentInvalid(t *testing.T) { //nolint:pa } func TestExtensionWriteBufferedLogsLimit(t *testing.T) { - t.Parallel() var gotStatusLogs, gotResultLogs []string m := &mock.KolideService{ @@ -651,7 +633,6 @@ func TestExtensionWriteBufferedLogsLimit(t *testing.T) { } func TestExtensionWriteBufferedLogsDropsBigLog(t *testing.T) { - t.Parallel() var gotStatusLogs, gotResultLogs []string m := &mock.KolideService{ @@ -719,9 +700,7 @@ func TestExtensionWriteBufferedLogsDropsBigLog(t *testing.T) { require.Equal(t, 0, finalLogCount, "no more queued logs") } -func TestExtensionWriteLogsLoop(t *testing.T) { //nolint:paralleltest - // t.Parallel() commented out due to timeouts in github actions runner - +func TestExtensionWriteLogsLoop(t *testing.T) { var gotStatusLogs, gotResultLogs []string var funcInvokedStatus, funcInvokedResult bool var done = make(chan struct{}) @@ -819,7 +798,6 @@ func TestExtensionWriteLogsLoop(t *testing.T) { //nolint:paralleltest } func TestExtensionPurgeBufferedLogs(t *testing.T) { - t.Parallel() var gotStatusLogs, gotResultLogs []string m := &mock.KolideService{ @@ -867,7 +845,6 @@ func TestExtensionPurgeBufferedLogs(t *testing.T) { } func TestExtensionGetQueriesTransportError(t *testing.T) { - t.Parallel() m := &mock.KolideService{ RequestQueriesFunc: func(ctx context.Context, nodeKey string) (*distributed.GetQueriesResult, bool, error) { @@ -886,7 +863,6 @@ func TestExtensionGetQueriesTransportError(t *testing.T) { } func TestExtensionGetQueriesEnrollmentInvalid(t *testing.T) { - t.Parallel() expectedNodeKey := "good_node_key" var gotNodeKey string @@ -915,7 +891,6 @@ func TestExtensionGetQueriesEnrollmentInvalid(t *testing.T) { } func TestExtensionGetQueries(t *testing.T) { - t.Parallel() expectedQueries := map[string]string{ "time": "select * from time", @@ -940,7 +915,6 @@ func TestExtensionGetQueries(t *testing.T) { } func TestExtensionWriteResultsTransportError(t *testing.T) { - t.Parallel() m := &mock.KolideService{ PublishResultsFunc: func(ctx context.Context, nodeKey string, results []distributed.Result) (string, string, bool, error) { @@ -958,7 +932,6 @@ func TestExtensionWriteResultsTransportError(t *testing.T) { } func TestExtensionWriteResultsEnrollmentInvalid(t *testing.T) { - t.Parallel() expectedNodeKey := "good_node_key" var gotNodeKey string @@ -986,7 +959,6 @@ func TestExtensionWriteResultsEnrollmentInvalid(t *testing.T) { } func TestExtensionWriteResults(t *testing.T) { - t.Parallel() var gotResults []distributed.Result m := &mock.KolideService{ @@ -1015,7 +987,6 @@ func TestExtensionWriteResults(t *testing.T) { } func TestLauncherRsaKeys(t *testing.T) { - t.Parallel() m := &mock.KolideService{} From 9b51cdbf09f7aa37711aaf4ece5c0959a82a154c Mon Sep 17 00:00:00 2001 From: seph Date: Tue, 24 Jan 2023 09:12:56 -0500 Subject: [PATCH 16/20] add Type() --- go.mod | 2 +- go.sum | 2 ++ pkg/agent/keys.go | 2 +- pkg/osquery/table/launcher_info.go | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 410698b48..7fdfd1cb1 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/kardianos/osext v0.0.0-20170510131534-ae77be60afb1 github.com/knightsc/system_policy v1.1.1-0.20211029142728-5f4c0d5419cc github.com/kolide/kit v0.0.0-20221107170827-fb85e3d59eab - github.com/kolide/krypto v0.0.0-20230123214238-2219d22c9a17 + github.com/kolide/krypto v0.0.0-20230124061533-be5d5ab73444 github.com/kolide/updater v0.0.0-20190315001611-15bbc19b5b80 github.com/kr/pty v1.1.2 github.com/mat/besticon v3.9.0+incompatible diff --git a/go.sum b/go.sum index ddf1d4ee4..b03bddd7c 100644 --- a/go.sum +++ b/go.sum @@ -298,6 +298,8 @@ github.com/kolide/kit v0.0.0-20221107170827-fb85e3d59eab h1:KVR7cs+oPyy85i+8t1Za github.com/kolide/kit v0.0.0-20221107170827-fb85e3d59eab/go.mod h1:OYYulo9tUqRadRLwB0+LE914sa1ui2yL7OrcU3Q/1XY= github.com/kolide/krypto v0.0.0-20230123214238-2219d22c9a17 h1:yo3/AIS1ZQRcSnkiebs/hFcH0KQqzftShMCxx6gg3gQ= github.com/kolide/krypto v0.0.0-20230123214238-2219d22c9a17/go.mod h1:PvKvoNvMWfyPXZN9/yXNrGtAasI2b+sc8RpwkCJGzzc= +github.com/kolide/krypto v0.0.0-20230124061533-be5d5ab73444 h1:Y6LS/fw2JVXx9wQsNQbtS+brGzrdJOA11W0lbjNCCrY= +github.com/kolide/krypto v0.0.0-20230124061533-be5d5ab73444/go.mod h1:PvKvoNvMWfyPXZN9/yXNrGtAasI2b+sc8RpwkCJGzzc= github.com/kolide/updater v0.0.0-20190315001611-15bbc19b5b80 h1:XFzdAHvTlbQoHZdEgOEiFt93eyfXP6VZCwH5p+lPpBg= github.com/kolide/updater v0.0.0-20190315001611-15bbc19b5b80/go.mod h1:x3dEGYbZovhD1t8OwEgdyu/4ZCvrn9QvkbPtOZnul8k= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= diff --git a/pkg/agent/keys.go b/pkg/agent/keys.go index d216f7289..e6bdb267b 100644 --- a/pkg/agent/keys.go +++ b/pkg/agent/keys.go @@ -12,7 +12,7 @@ import ( type keyInt interface { crypto.Signer - //Type() string // Not Yet Supported by Krypto + Type() string } var Keys keyInt = keys.Noop diff --git a/pkg/osquery/table/launcher_info.go b/pkg/osquery/table/launcher_info.go index ec3d8b899..323fbc26f 100644 --- a/pkg/osquery/table/launcher_info.go +++ b/pkg/osquery/table/launcher_info.go @@ -80,7 +80,7 @@ func generateLauncherInfoTable(db *bbolt.DB) table.GenerateFunc { var pem bytes.Buffer if err := osquery.PublicKeyToPem(eccKey, &pem); err == nil { results[0]["signing_key"] = pem.String() - results[0]["signing_key_source"] = "TBD" + results[0]["signing_key_source"] = agent.Keys.Type() } } From 5a63ad2a067ad5a76f93b7fcb5cb19202040b22d Mon Sep 17 00:00:00 2001 From: seph Date: Tue, 24 Jan 2023 09:17:56 -0500 Subject: [PATCH 17/20] func, not global --- pkg/agent/keys.go | 18 +++++++++++++----- pkg/osquery/table/launcher_info.go | 6 +++--- 2 files changed, 16 insertions(+), 8 deletions(-) diff --git a/pkg/agent/keys.go b/pkg/agent/keys.go index e6bdb267b..da14f1984 100644 --- a/pkg/agent/keys.go +++ b/pkg/agent/keys.go @@ -15,25 +15,33 @@ type keyInt interface { Type() string } -var Keys keyInt = keys.Noop -var LocalDbKeys keyInt = keys.Noop +var hardwareKeys keyInt = keys.Noop +var localDbKeys keyInt = keys.Noop + +func Keys() keyInt { + return hardwareKeys +} + +func LocalDbKeys() keyInt { + return localDbKeys +} func SetupKeys(logger log.Logger, db *bbolt.DB) error { var err error // Always setup a local key - LocalDbKeys, err = keys.SetupLocalDbKey(logger, db) + localDbKeys, err = keys.SetupLocalDbKey(logger, db) if err != nil { return fmt.Errorf("setting up local db keys: %w", err) } - Keys, err = setupHardwareKeys(logger, db) + hardwareKeys, err = setupHardwareKeys(logger, db) if err != nil { // Now this is a conundrum. What should we do if there's a hardware keying error? // We could return the error, and abort, but that would block launcher for working in places // without keys. Inatead, we log the error and set Keys to the localDb key. level.Info(logger).Log("msg", "setting up hardware keys", "err", err) - Keys = LocalDbKeys + hardwareKeys = localDbKeys } return nil diff --git a/pkg/osquery/table/launcher_info.go b/pkg/osquery/table/launcher_info.go index 323fbc26f..c70abcc26 100644 --- a/pkg/osquery/table/launcher_info.go +++ b/pkg/osquery/table/launcher_info.go @@ -76,15 +76,15 @@ func generateLauncherInfoTable(db *bbolt.DB) table.GenerateFunc { } // No logger, so just ignore errors. generate the pem encoding if we can. - if eccKey := agent.Keys.Public(); eccKey != nil { + if eccKey := agent.Keys().Public(); eccKey != nil { var pem bytes.Buffer if err := osquery.PublicKeyToPem(eccKey, &pem); err == nil { results[0]["signing_key"] = pem.String() - results[0]["signing_key_source"] = agent.Keys.Type() + results[0]["signing_key_source"] = agent.Keys().Type() } } - if localKey := agent.LocalDbKeys.Public(); localKey != nil { + if localKey := agent.LocalDbKeys().Public(); localKey != nil { var pem bytes.Buffer if err := osquery.PublicKeyToPem(localKey, &pem); err == nil { results[0]["local_key"] = pem.String() From defc27901822e533268619fe8dcd3b057732a41d Mon Sep 17 00:00:00 2001 From: seph Date: Tue, 24 Jan 2023 09:21:04 -0500 Subject: [PATCH 18/20] feedback --- pkg/agent/keys.go | 2 +- pkg/agent/keys/local_test.go | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/pkg/agent/keys.go b/pkg/agent/keys.go index da14f1984..2604b23df 100644 --- a/pkg/agent/keys.go +++ b/pkg/agent/keys.go @@ -40,7 +40,7 @@ func SetupKeys(logger log.Logger, db *bbolt.DB) error { // Now this is a conundrum. What should we do if there's a hardware keying error? // We could return the error, and abort, but that would block launcher for working in places // without keys. Inatead, we log the error and set Keys to the localDb key. - level.Info(logger).Log("msg", "setting up hardware keys", "err", err) + level.Info(logger).Log("msg", "Failed to setting up hardware keys, falling back to local DB keys", "err", err) hardwareKeys = localDbKeys } diff --git a/pkg/agent/keys/local_test.go b/pkg/agent/keys/local_test.go index 3ad3f18f4..5b34877b6 100644 --- a/pkg/agent/keys/local_test.go +++ b/pkg/agent/keys/local_test.go @@ -1,7 +1,6 @@ package keys import ( - "os" "path/filepath" "testing" @@ -14,7 +13,7 @@ func TestSetupLocalDbKey(t *testing.T) { t.Parallel() db := setupDb(t) - logger := log.NewJSONLogger(os.Stderr) //log.NewNopLogger() + logger := log.NewNopLogger() key, err := SetupLocalDbKey(logger, db) require.NoError(t, err) From 5a0cec90b367ae2cdd09394dc5b8ca50fb76e6fe Mon Sep 17 00:00:00 2001 From: seph Date: Tue, 24 Jan 2023 09:23:54 -0500 Subject: [PATCH 19/20] only write if not nil --- pkg/agent/keys.go | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/pkg/agent/keys.go b/pkg/agent/keys.go index 2604b23df..513db4421 100644 --- a/pkg/agent/keys.go +++ b/pkg/agent/keys.go @@ -83,12 +83,21 @@ func storeKeyData(db *bbolt.DB, pri, pub []byte) error { return fmt.Errorf("creating bucket: %w", err) } - if err := b.Put([]byte(privateEccData), pri); err != nil { - return err + // It's not really clear what we should do if this is called with a nil pri or pub. We + // could delete the key data, but that feels like the wrong thing -- what if there's a + // weird caller error? So, in the event of nils, we skip the write. We may revisit this + // as we learn more + + if pri != nil { + if err := b.Put([]byte(privateEccData), pri); err != nil { + return err + } } - if err := b.Put([]byte(publicEccData), pub); err != nil { - return err + if pub != nil { + if err := b.Put([]byte(publicEccData), pub); err != nil { + return err + } } return nil From 0956724075a286355f53a1493cdc2af0be66710a Mon Sep 17 00:00:00 2001 From: seph Date: Tue, 24 Jan 2023 10:29:04 -0500 Subject: [PATCH 20/20] Update pkg/agent/keys_tpm.go Co-authored-by: James Pickett --- pkg/agent/keys_tpm.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/agent/keys_tpm.go b/pkg/agent/keys_tpm.go index 3bacf6556..ec66db984 100644 --- a/pkg/agent/keys_tpm.go +++ b/pkg/agent/keys_tpm.go @@ -36,7 +36,7 @@ func setupHardwareKeys(logger log.Logger, db *bbolt.DB) (keyInt, error) { k, err := tpm.New(priData, pubData) if err != nil { - return nil, fmt.Errorf("creating tpm signer:, from new key %w", err) + return nil, fmt.Errorf("creating tpm signer: from new key: %w", err) } return k, nil