Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(server): auto sign all release targets
* automatically generate gpg signing key and store into the storage; * get public part of gpg signing key with GET `/configure/gpg_signing_key`; * delete current gpg signing key with DELETE `/configure/gpg_signing_key` (key will be automatically regenerated); * each release target `targets/releases/RELEASE/OS-ARCH/FILE` have a signature available in the `targets/signatures/RELEASE/OS-ARCH/FILE.sig` file.
- Loading branch information
1 parent
6ea22f5
commit c6221a8
Showing
11 changed files
with
431 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
package pgp | ||
|
||
import ( | ||
"crypto" | ||
"crypto/rand" | ||
"fmt" | ||
"io" | ||
"time" | ||
|
||
"golang.org/x/crypto/openpgp" | ||
"golang.org/x/crypto/openpgp/armor" | ||
"golang.org/x/crypto/openpgp/packet" | ||
) | ||
|
||
type RSASigningKey struct { | ||
Entity *openpgp.Entity | ||
} | ||
|
||
func (key *RSASigningKey) SerializePublicKey(out io.Writer) error { | ||
armoredOut, err := armor.Encode(out, openpgp.PublicKeyType, nil) | ||
if err != nil { | ||
return fmt.Errorf("unable to prepare armored writer: %s", err) | ||
} | ||
|
||
if err := key.Entity.Serialize(armoredOut); err != nil { | ||
return err | ||
} | ||
|
||
if err := armoredOut.Close(); err != nil { | ||
return fmt.Errorf("unable to close armored writer: %s", err) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func (key *RSASigningKey) SerializeFull(out io.Writer) error { | ||
return key.SerializePrivateKey(out) | ||
} | ||
|
||
func (key *RSASigningKey) SerializePrivateKey(out io.Writer) error { | ||
armoredOut, err := armor.Encode(out, openpgp.PrivateKeyType, nil) | ||
if err != nil { | ||
return fmt.Errorf("unable to prepare armored writer: %s", err) | ||
} | ||
|
||
if err := key.Entity.SerializePrivate(armoredOut, nil); err != nil { | ||
return err | ||
} | ||
|
||
if err := armoredOut.Close(); err != nil { | ||
return fmt.Errorf("unable to close armored writer: %s", err) | ||
} | ||
|
||
return nil | ||
} | ||
|
||
func GenerateRSASigningKey() (*RSASigningKey, error) { | ||
entity, err := openpgp.NewEntity("trdl", "trdl server auto signer", "", &packet.Config{ | ||
Time: time.Now, | ||
Rand: rand.Reader, | ||
DefaultHash: crypto.SHA256, | ||
DefaultCipher: packet.CipherAES128, | ||
RSABits: 4096, | ||
}) | ||
if err != nil { | ||
return nil, fmt.Errorf("unable to generate openpgp entity: %s", err) | ||
} | ||
|
||
return &RSASigningKey{Entity: entity}, nil | ||
} | ||
|
||
func ParseRSASigningKey(in io.Reader) (*RSASigningKey, error) { | ||
el, err := openpgp.ReadArmoredKeyRing(in) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
if len(el) == 0 { | ||
return nil, fmt.Errorf("no private pgp signing key entities found") | ||
} | ||
|
||
return &RSASigningKey{Entity: el[0]}, nil | ||
} | ||
|
||
func SignDataStream(detachedSignatureOut io.Writer, dataStream io.Reader, key *RSASigningKey) error { | ||
return openpgp.DetachSign(detachedSignatureOut, key.Entity, dataStream, nil) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
package pgp | ||
|
||
import ( | ||
"bytes" | ||
"fmt" | ||
"io" | ||
"io/ioutil" | ||
"math/rand" | ||
"os" | ||
"os/exec" | ||
"testing" | ||
"time" | ||
|
||
. "github.com/onsi/ginkgo" | ||
. "github.com/onsi/gomega" | ||
) | ||
|
||
func TestPGPSigningKey(t *testing.T) { | ||
RegisterFailHandler(Fail) | ||
RunSpecs(t, "PGP signing key suite") | ||
} | ||
|
||
var _ = Describe("PGP signing key", func() { | ||
BeforeEach(func() { | ||
rand.Seed(time.Now().Unix()) | ||
}) | ||
|
||
It("Should create detached signature of data stream then decode signature using GPG tool", func() { | ||
key, err := GenerateRSASigningKey() | ||
Expect(err).NotTo(HaveOccurred()) | ||
|
||
fileContent := make([]byte, rand.Uint32()%104857600) | ||
rand.Read(fileContent) | ||
|
||
pgpSignBuf := bytes.NewBuffer(nil) | ||
|
||
err = SignDataStream(pgpSignBuf, bytes.NewReader(fileContent), key) | ||
Expect(err).NotTo(HaveOccurred()) | ||
|
||
pgpSign := pgpSignBuf.Bytes() | ||
|
||
Expect(len(pgpSignBuf.String()) > 0).To(BeTrue()) | ||
|
||
tmpFile, err := ioutil.TempFile("", "pgp-signing-key-test-file-") | ||
Expect(err).NotTo(HaveOccurred()) | ||
defer os.RemoveAll(tmpFile.Name()) | ||
_, err = io.Copy(tmpFile, bytes.NewReader(fileContent)) | ||
Expect(err).NotTo(HaveOccurred()) | ||
err = tmpFile.Close() | ||
Expect(err).NotTo(HaveOccurred()) | ||
|
||
tmpSigFile, err := ioutil.TempFile("", "pgp-signing-key-test-file-*.sig") | ||
Expect(err).NotTo(HaveOccurred()) | ||
defer os.RemoveAll(tmpSigFile.Name()) | ||
_, err = io.Copy(tmpSigFile, bytes.NewReader(pgpSign)) | ||
Expect(err).NotTo(HaveOccurred()) | ||
err = tmpSigFile.Close() | ||
Expect(err).NotTo(HaveOccurred()) | ||
|
||
tmpPubkeyFile, err := ioutil.TempFile("", "pgp-signing-key-test-pubkey-*.gpg") | ||
Expect(err).NotTo(HaveOccurred()) | ||
defer os.RemoveAll(tmpPubkeyFile.Name()) | ||
pubkeyData := bytes.NewBuffer(nil) | ||
err = key.SerializePublicKey(pubkeyData) | ||
Expect(err).NotTo(HaveOccurred()) | ||
_, err = io.Copy(tmpPubkeyFile, bytes.NewReader(pubkeyData.Bytes())) | ||
Expect(err).NotTo(HaveOccurred()) | ||
err = tmpPubkeyFile.Close() | ||
Expect(err).NotTo(HaveOccurred()) | ||
|
||
fmt.Printf("Importing gpg key:\n%s\n", pubkeyData) | ||
|
||
cmd := exec.Command("gpg", "--import", tmpPubkeyFile.Name()) | ||
cmd.Stdout = os.Stdout | ||
cmd.Stderr = os.Stderr | ||
err = cmd.Run() | ||
Expect(err).NotTo(HaveOccurred()) | ||
|
||
cmd = exec.Command("gpg", "--verify", tmpSigFile.Name(), tmpFile.Name()) | ||
cmd.Stdout = os.Stdout | ||
cmd.Stderr = os.Stderr | ||
err = cmd.Run() | ||
Expect(err).NotTo(HaveOccurred()) | ||
}) | ||
|
||
It("Should serialize and deserialize PGP signing key into text", func() { | ||
key, err := GenerateRSASigningKey() | ||
Expect(err).NotTo(HaveOccurred()) | ||
|
||
data := bytes.NewBuffer(nil) | ||
err = key.SerializeFull(data) | ||
Expect(err).NotTo(HaveOccurred()) | ||
fmt.Printf("Serialized key:\n%s\n", data.String()) | ||
|
||
newKey, err := ParseRSASigningKey(bytes.NewReader(data.Bytes())) | ||
Expect(err).NotTo(HaveOccurred()) | ||
|
||
Expect(key.Entity.PrimaryKey.KeyId).To(Equal(newKey.Entity.PrimaryKey.KeyId)) | ||
Expect(key.Entity.PrimaryKey.Fingerprint).To(Equal(newKey.Entity.PrimaryKey.Fingerprint)) | ||
|
||
Expect(key.Entity.PrivateKey.KeyId).To(Equal(newKey.Entity.PrivateKey.KeyId)) | ||
Expect(key.Entity.PrivateKey.Fingerprint).To(Equal(newKey.Entity.PrimaryKey.Fingerprint)) | ||
|
||
for k, ident := range key.Entity.Identities { | ||
newIdent := newKey.Entity.Identities[k] | ||
Expect(ident.UserId).To(Equal(newIdent.UserId)) | ||
Expect(ident.Name).To(Equal(newIdent.Name)) | ||
} | ||
}) | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,57 @@ | ||
package publisher | ||
|
||
import "github.com/hashicorp/vault/sdk/framework" | ||
import ( | ||
"bytes" | ||
"context" | ||
"fmt" | ||
|
||
func (m *Publisher) Paths() []*framework.Path { | ||
return nil | ||
"github.com/hashicorp/vault/sdk/framework" | ||
"github.com/hashicorp/vault/sdk/logical" | ||
) | ||
|
||
func (publisher *Publisher) Paths() []*framework.Path { | ||
return []*framework.Path{ | ||
{ | ||
Pattern: "configure/pgp_signing_key", | ||
Fields: map[string]*framework.FieldSchema{}, | ||
Operations: map[logical.Operation]framework.OperationHandler{ | ||
logical.ReadOperation: &framework.PathOperation{ | ||
Description: "Get public part of PGP signing key", | ||
Callback: publisher.pathConfigurePGPSigningKeyRead, | ||
}, | ||
logical.DeleteOperation: &framework.PathOperation{ | ||
Description: "Delete current PGP signing key (new key will be generated automatically ondemand)", | ||
Callback: publisher.pathConfigurePGPSigningKeyDelete, | ||
}, | ||
}, | ||
}, | ||
} | ||
} | ||
|
||
func (publisher *Publisher) pathConfigurePGPSigningKeyRead(ctx context.Context, req *logical.Request, fields *framework.FieldData) (*logical.Response, error) { | ||
key, err := publisher.fetchPGPSigningKey(ctx, req.Storage, false) | ||
if err == ErrUninitializedPGPSigningKey { | ||
return logical.ErrorResponse(ErrUninitializedPGPSigningKey.Error()), nil | ||
} | ||
if err != nil { | ||
return nil, fmt.Errorf("error fetching pgp signing key: %s", err) | ||
} | ||
|
||
pk := bytes.NewBuffer(nil) | ||
if err := key.SerializePublicKey(pk); err != nil { | ||
return nil, fmt.Errorf("unable to get public key text: %s", err) | ||
} | ||
|
||
return &logical.Response{ | ||
Data: map[string]interface{}{ | ||
"public_key": pk.String(), | ||
}, | ||
}, nil | ||
} | ||
|
||
func (publisher *Publisher) pathConfigurePGPSigningKeyDelete(ctx context.Context, req *logical.Request, fields *framework.FieldData) (*logical.Response, error) { | ||
if err := publisher.deletePGPSigningKey(ctx, req.Storage); err != nil { | ||
return nil, fmt.Errorf("error deleting pgp signing key: %s", err) | ||
} | ||
return &logical.Response{Data: map[string]interface{}{}}, nil | ||
} |
Oops, something went wrong.