kcrypt-challenger/cmd/discovery/client/enc.go

package client

import (
	"encoding/json"
	"fmt"
	"strings"

	"github.com/kairos-io/kairos-challenger/pkg/constants"
	"github.com/kairos-io/kairos-challenger/pkg/payload"

	"github.com/jaypipes/ghw/pkg/block"
	"github.com/kairos-io/tpm-helpers"
	"github.com/mudler/yip/pkg/utils"
	"github.com/pkg/errors"
)

const DefaultNVIndex = "0x1500000"

func getPass(server, certificate string, partition *block.Partition) (string, bool, error) {
	msg, err := tpm.Get(server,
		tpm.WithCAs([]byte(certificate)),
		tpm.AppendCustomCAToSystemCA,
		tpm.WithAdditionalHeader("label", partition.Label),
		tpm.WithAdditionalHeader("name", partition.Name),
		tpm.WithAdditionalHeader("uuid", partition.UUID))
	if err != nil {
		return "", false, err
	}
	result := payload.Data{}
	err = json.Unmarshal(msg, &result)
	if err != nil {
		return "", false, errors.Wrap(err, string(msg))
	}

	if result.HasPassphrase() {
		return fmt.Sprint(result.Passphrase), result.HasBeenGenerated() && result.GeneratedBy == constants.TPMSecret, nil
	} else if result.HasError() {
		if strings.Contains(result.Error, "No secret found for") {
			return "", false, errPartNotFound
		}
		if strings.Contains(result.Error, "x509: certificate signed by unknown authority") {
			return "", false, errBadCertificate
		}
		return "", false, fmt.Errorf(result.Error)
	}

	return "", false, errPartNotFound
}

func genAndStore(k Config) (string, error) {
	opts := []tpm.TPMOption{}
	if k.Kcrypt.Challenger.TPMDevice != "" {
		opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))
	}
	if k.Kcrypt.Challenger.CIndex != "" {
		opts = append(opts, tpm.WithIndex(k.Kcrypt.Challenger.CIndex))
	}

	// Generate a new one, and return it to luks
	rand := utils.RandomString(32)
	blob, err := tpm.EncryptBlob([]byte(rand))
	if err != nil {
		return "", err
	}
	nvindex := DefaultNVIndex
	if k.Kcrypt.Challenger.NVIndex != "" {
		nvindex = k.Kcrypt.Challenger.NVIndex
	}
	opts = append(opts, tpm.WithIndex(nvindex))
	return rand, tpm.StoreBlob(blob, opts...)
}

func localPass(k Config) (string, error) {
	index := DefaultNVIndex
	if k.Kcrypt.Challenger.NVIndex != "" {
		index = k.Kcrypt.Challenger.NVIndex
	}
	opts := []tpm.TPMOption{tpm.WithIndex(index)}
	if k.Kcrypt.Challenger.TPMDevice != "" {
		opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))
	}
	encodedPass, err := tpm.ReadBlob(opts...)
	if err != nil {
		// Generate if we fail to read from the assigned blob
		return genAndStore(k)
	}

	// Decode and give it back
	opts = []tpm.TPMOption{}
	if k.Kcrypt.Challenger.CIndex != "" {
		opts = append(opts, tpm.WithIndex(k.Kcrypt.Challenger.CIndex))
	}
	if k.Kcrypt.Challenger.TPMDevice != "" {
		opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))
	}
	pass, err := tpm.DecryptBlob(encodedPass, opts...)
	return string(pass), err
}
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`package client`

			`import (`
			`"encoding/json"`
			`"fmt"`
Return a payload Signed-off-by: mudler <mudler@c3os.io> 2023-01-24 11:03:08 +00:00			`"strings"`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00
			`"github.com/kairos-io/kairos-challenger/pkg/constants"`
Return a payload Signed-off-by: mudler <mudler@c3os.io> 2023-01-24 11:03:08 +00:00			`"github.com/kairos-io/kairos-challenger/pkg/payload"`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00
			`"github.com/jaypipes/ghw/pkg/block"`
			`"github.com/kairos-io/tpm-helpers"`
			`"github.com/mudler/yip/pkg/utils"`
			`"github.com/pkg/errors"`
			`)`

Small refactorings (renaming vars, create constants etc) Signed-off-by: Ettore Di Giacinto <ettore@spectrocloud.com> 2023-01-19 14:24:39 +00:00			`const DefaultNVIndex = "0x1500000"`

Implement pinned certs Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me> 2023-02-09 07:52:51 +00:00			`func getPass(server, certificate string, partition *block.Partition) (string, bool, error) {`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`msg, err := tpm.Get(server,`
Implement pinned certs Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me> 2023-02-09 07:52:51 +00:00			`tpm.WithCAs([]byte(certificate)),`
Fallback to system CAs No automated test for this case because it's complicated to get a properly signed certificate in tests: - the domain we use is sslip.io (not sure if letsencrypt would sign it) - we need to use the letsencrypt production and that has quotas not suitable for CI Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me> 2023-02-09 09:24:10 +00:00			`tpm.AppendCustomCAToSystemCA,`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`tpm.WithAdditionalHeader("label", partition.Label),`
			`tpm.WithAdditionalHeader("name", partition.Name),`
			`tpm.WithAdditionalHeader("uuid", partition.UUID))`
			`if err != nil {`
			`return "", false, err`
			`}`
Return a payload Signed-off-by: mudler <mudler@c3os.io> 2023-01-24 11:03:08 +00:00			`result := payload.Data{}`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`err = json.Unmarshal(msg, &result)`
			`if err != nil {`
			`return "", false, errors.Wrap(err, string(msg))`
			`}`
Return a payload Signed-off-by: mudler <mudler@c3os.io> 2023-01-24 11:03:08 +00:00
			`if result.HasPassphrase() {`
			`return fmt.Sprint(result.Passphrase), result.HasBeenGenerated() && result.GeneratedBy == constants.TPMSecret, nil`
			`} else if result.HasError() {`
			`if strings.Contains(result.Error, "No secret found for") {`
			`return "", false, errPartNotFound`
			`}`
Implement test that checks invalid cert case Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me> 2023-02-09 08:49:32 +00:00			`if strings.Contains(result.Error, "x509: certificate signed by unknown authority") {`
			`return "", false, errBadCertificate`
			`}`
Return a payload Signed-off-by: mudler <mudler@c3os.io> 2023-01-24 11:03:08 +00:00			`return "", false, fmt.Errorf(result.Error)`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`}`
Return a payload Signed-off-by: mudler <mudler@c3os.io> 2023-01-24 11:03:08 +00:00
:seedling: Small fixups Signed-off-by: mudler <mudler@c3os.io> 2023-01-19 13:24:33 +00:00			`return "", false, errPartNotFound`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`}`

			`func genAndStore(k Config) (string, error) {`
			`opts := []tpm.TPMOption{}`
:seedling: Small fixups Signed-off-by: mudler <mudler@c3os.io> 2023-01-19 13:24:33 +00:00			`if k.Kcrypt.Challenger.TPMDevice != "" {`
			`opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`}`
:seedling: Small fixups Signed-off-by: mudler <mudler@c3os.io> 2023-01-19 13:24:33 +00:00			`if k.Kcrypt.Challenger.CIndex != "" {`
			`opts = append(opts, tpm.WithIndex(k.Kcrypt.Challenger.CIndex))`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`}`

			`// Generate a new one, and return it to luks`
			`rand := utils.RandomString(32)`
Improve naming of functions and add comments Signed-off-by: Dimitris Karakasilis <dimitris@spectrocloud.com> 2023-01-19 14:06:53 +00:00			`blob, err := tpm.EncryptBlob([]byte(rand))`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`if err != nil {`
			`return "", err`
			`}`
Small refactorings (renaming vars, create constants etc) Signed-off-by: Ettore Di Giacinto <ettore@spectrocloud.com> 2023-01-19 14:24:39 +00:00			`nvindex := DefaultNVIndex`
:seedling: Small fixups Signed-off-by: mudler <mudler@c3os.io> 2023-01-19 13:24:33 +00:00			`if k.Kcrypt.Challenger.NVIndex != "" {`
			`nvindex = k.Kcrypt.Challenger.NVIndex`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`}`
			`opts = append(opts, tpm.WithIndex(nvindex))`
			`return rand, tpm.StoreBlob(blob, opts...)`
			`}`

			`func localPass(k Config) (string, error) {`
Small refactorings (renaming vars, create constants etc) Signed-off-by: Ettore Di Giacinto <ettore@spectrocloud.com> 2023-01-19 14:24:39 +00:00			`index := DefaultNVIndex`
:seedling: Small fixups Signed-off-by: mudler <mudler@c3os.io> 2023-01-19 13:24:33 +00:00			`if k.Kcrypt.Challenger.NVIndex != "" {`
			`index = k.Kcrypt.Challenger.NVIndex`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`}`
			`opts := []tpm.TPMOption{tpm.WithIndex(index)}`
:seedling: Small fixups Signed-off-by: mudler <mudler@c3os.io> 2023-01-19 13:24:33 +00:00			`if k.Kcrypt.Challenger.TPMDevice != "" {`
			`opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`}`
			`encodedPass, err := tpm.ReadBlob(opts...)`
			`if err != nil {`
			`// Generate if we fail to read from the assigned blob`
			`return genAndStore(k)`
			`}`

			`// Decode and give it back`
			`opts = []tpm.TPMOption{}`
:seedling: Small fixups Signed-off-by: mudler <mudler@c3os.io> 2023-01-19 13:24:33 +00:00			`if k.Kcrypt.Challenger.CIndex != "" {`
			`opts = append(opts, tpm.WithIndex(k.Kcrypt.Challenger.CIndex))`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`}`
:seedling: Small fixups Signed-off-by: mudler <mudler@c3os.io> 2023-01-19 13:24:33 +00:00			`if k.Kcrypt.Challenger.TPMDevice != "" {`
			`opts = append(opts, tpm.WithDevice(k.Kcrypt.Challenger.TPMDevice))`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`}`
Improve naming of functions and add comments Signed-off-by: Dimitris Karakasilis <dimitris@spectrocloud.com> 2023-01-19 14:06:53 +00:00			`pass, err := tpm.DecryptBlob(encodedPass, opts...)`
Enable local encryption, remote now partially uses TPM Signed-off-by: mudler <mudler@c3os.io> 2023-01-18 22:32:23 +00:00			`return string(pass), err`
			`}`