Certings (#224)

* wip - certz

* Various changes

Co-authored-by: Torbjørn Hallenberg <[email protected]>

* Sync

* småflikks

* sync

Co-authored-by: J-K. Solbakken <[email protected]>
Co-authored-by: Torbjørn Hallenberg <[email protected]>

Author: 3 people

pkg/outtune/outtune.go

@@ -67,13 +67,17 @@ func download(ctx context.Context, serial string, privateKey *rsa.PrivateKey) (*
 		return nil, err
 	}
 
+	return downloadWithPublicKey(ctx, serial, publicKey)
+}
+
+func downloadWithPublicKey(ctx context.Context, serial string, publicKey []byte) (*response, error) {
 	block := &pem.Block{
 		Type:  "PUBLIC KEY",
 		Bytes: publicKey,
 	}
 
 	buf := &bytes.Buffer{}
-	err = pem.Encode(buf, block)
+	err := pem.Encode(buf, block)
 	if err != nil {
 		return nil, fmt.Errorf("encode public key in PEM format: %w", err)
 	}

pkg/outtune/outtune_darwin.go

@@ -3,22 +3,35 @@ package outtune
 import (
 	"bufio"
 	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
 	"fmt"
+	"io/fs"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"regexp"
-	"strings"
 
 	"github.com/nais/device/pkg/pb"
 	log "github.com/sirupsen/logrus"
 )
 
-const aadLoginURL = "https://nav-no.managed.us2.access-control.cas.ms/aad_login"
+const (
+	aadLoginURL = "https://nav-no.managed.us2.access-control.cas.ms/aad_login"
+	certPath    = "Library/Application Support/naisdevice/browser_cert_pubkey.pem"
+)
 
 type darwin struct {
 	helper pb.DeviceHelperClient
 }
 
+type certresponse struct {
+	CertPem string `json:"cert_pem"`
+}
+
 func New(helper pb.DeviceHelperClient) Outtune {
 	return &darwin{
 		helper: helper,
@@ -32,71 +45,69 @@ func (o *darwin) Cleanup(ctx context.Context) error {
 		return err
 	}
 
-	// find identities in Mac OS X keychain for this serial
-	identities, err := identities(ctx, serial.GetSerial())
+	// find certificates in Mac OS X keychain for this serial
+	certificates, err := certificates(ctx, serial.GetSerial())
 	if err != nil {
 		return err
 	}
 
 	// remove identities
-	for _, certificateSerial := range identities {
-		cmd := exec.CommandContext(ctx, "/usr/bin/security", "delete-identity", "-Z", certificateSerial, "-t")
+	for _, certificateSerial := range certificates {
+		cmd := exec.CommandContext(ctx, "/usr/bin/security", "delete-certificate", "-Z", certificateSerial)
 		err = cmd.Run()
 		if err != nil {
 			log.Errorf("unable to delete certificate and private key from keychain: %s", err)
 		} else {
-			log.Debugf("deleted identity '%s' from keychain", certificateSerial)
+			log.Debugf("deleted certificate '%s' from keychain", certificateSerial)
 		}
 	}
 
 	return nil
 }
 
 func (o *darwin) Install(ctx context.Context) error {
-	o.Cleanup(ctx)
-
 	serial, err := o.helper.GetSerial(ctx, &pb.GetSerialRequest{})
 	if err != nil {
 		return err
 	}
 
-	id, err := generateKeyAndCertificate(ctx, serial.GetSerial())
+	home, err := os.UserHomeDir()
 	if err != nil {
-		return err
+		return fmt.Errorf("could not determine user home directory: %v", err)
 	}
 
-	w, err := os.CreateTemp(os.TempDir(), "naisdevice-")
-	if err != nil {
-		return err
-	}
-	defer w.Close()
-	defer os.Remove(w.Name())
+	pubKeyPath := filepath.Join(home, certPath)
 
-	// Write key+certificate pair to disk in PEM format
-	err = id.SerializePEM(w)
+	var pk *rsa.PrivateKey
+	_, err = os.Stat(pubKeyPath)
 	if err != nil {
-		return err
+		if !errors.Is(err, fs.ErrNotExist) {
+			return err
+		}
+
+		pk, err = o.generate(ctx, serial.GetSerial(), pubKeyPath)
+		if err != nil {
+			return err
+		}
+	} else {
+		o.Cleanup(ctx)
 	}
 
-	// flush contents to disk
-	err = w.Close()
+	resp, err := o.download_cert(ctx, serial.GetSerial(), pubKeyPath)
 	if err != nil {
 		return err
 	}
-
-	// run Mac OS X keychain import tool
-	cmd := exec.CommandContext(ctx, "/usr/bin/security", "import", w.Name(), "-A")
-	err = cmd.Run()
+	err = o.importIdentity(ctx, pk, resp.CertificatePEM)
 	if err != nil {
 		return err
 	}
 
-	currentIdentities, err := identities(ctx, serial.GetSerial())
-	if err != nil {
+	currentIdentities, err := certificates(ctx, serial.GetSerial())
+	if err != nil || len(currentIdentities) == 0 {
 		return fmt.Errorf("unable to find identity in keychain: %s", err)
 	}
 
-	cmd = exec.CommandContext(ctx, "/usr/bin/security", "set-identity-preference", "-Z", currentIdentities[0], "-s", aadLoginURL)
+	cmd := exec.CommandContext(ctx, "/usr/bin/security", "set-identity-preference", "-Z", currentIdentities[0], "-s", aadLoginURL)
 	err = cmd.Run()
 	if err != nil {
 		log.Errorf("set-identity-preference: %s", err)
@@ -105,9 +116,70 @@ func (o *darwin) Install(ctx context.Context) error {
 	return nil
 }
 
-func identities(ctx context.Context, serial string) ([]string, error) {
+func (o *darwin) download_cert(ctx context.Context, serial, pubKeyPath string) (*response, error) {
+	publicKey, err := os.ReadFile(pubKeyPath)
+	if err != nil {
+		return nil, err
+	}
+
+	return downloadWithPublicKey(ctx, serial, publicKey)
+}
+
+func (o *darwin) generate(ctx context.Context, serial, pubKeyPath string) (*rsa.PrivateKey, error) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, entropyBits)
+	if err != nil {
+		return nil, err
+	}
+
+	publicKey, err := x509.MarshalPKIXPublicKey(&privateKey.PublicKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return privateKey, os.WriteFile(pubKeyPath, publicKey, 0o644)
+}
+
+func (o *darwin) importIdentity(ctx context.Context, privateKey *rsa.PrivateKey, certificate string) error {
+	w, err := os.CreateTemp(os.TempDir(), "naisdevice-")
+	if err != nil {
+		return err
+	}
+	defer w.Close()
+	defer os.Remove(w.Name())
+
+	if privateKey != nil {
+		pem.Encode(w, &pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: x509.MarshalPKCS1PrivateKey(privateKey),
+		})
+	}
+
+	block, rest := pem.Decode([]byte(certificate))
+	if len(rest) > 0 {
+		log.Warnf("certificate had remaining input which was ignored")
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return err
+	}
+	pem.Encode(w, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: cert.Raw,
+	})
+
+	// flush contents to disk
+	err = w.Close()
+	if err != nil {
+		return err
+	}
+	// run Mac OS X keychain import tool
+	cmd := exec.CommandContext(ctx, "/usr/bin/security", "import", w.Name(), "-A")
+	return cmd.Run()
+}
+
+func certificates(ctx context.Context, serial string) ([]string, error) {
 	id := "naisdevice - " + serial
-	cmd := exec.CommandContext(ctx, "/usr/bin/security", "find-identity", "-s", id)
+	cmd := exec.CommandContext(ctx, "/usr/bin/security", "find-certificate", "-c", id, "-Z")
 	stdout, err := cmd.StdoutPipe()
 	if err != nil {
 		return nil, err
@@ -120,15 +192,15 @@ func identities(ctx context.Context, serial string) ([]string, error) {
 	}
 
 	idMap := make(map[string]struct{})
-	re := regexp.MustCompile("[A-Za-z0-9]{40}")
+	re := regexp.MustCompile(`SHA-1 hash:\s([A-Za-z0-9]{40})`)
 	scan := bufio.NewScanner(stdout)
 	for scan.Scan() {
 		line := scan.Text()
-		certificateID := re.FindString(line)
-		if len(certificateID) == 0 || !strings.Contains(line, "naisdevice") {
+		matches := re.FindAllStringSubmatch(line, 1)
+		if len(matches) == 0 {
 			continue
 		}
-		idMap[certificateID] = struct{}{}
+		idMap[matches[0][1]] = struct{}{}
 	}
 
 	err = cmd.Wait()