kolide · James-Pickett · Dec 12, 2023 · Dec 15, 2023 · Dec 15, 2023 · Dec 15, 2023
diff --git a/cmd/launcher/main.go b/cmd/launcher/main.go
@@ -175,6 +175,8 @@ func runSubcommands() error {
 		run = runDownloadOsquery
 	case "uninstall":
 		run = runUninstall
+	case "secure-enclave":
+		run = runSecureEnclave
 	default:
 		return fmt.Errorf("Unknown subcommand %s", os.Args[1])
 	}

diff --git a/cmd/launcher/secure_enclave_dawin.go b/cmd/launcher/secure_enclave_dawin.go
@@ -0,0 +1,153 @@
+//go:build darwin
+// +build darwin
+
+package main
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"time"
+
+	"github.com/kolide/krypto/pkg/challenge"
+	"github.com/kolide/krypto/pkg/echelper"
+	"github.com/kolide/krypto/pkg/secureenclave"
+	"github.com/kolide/launcher/ee/agent/certs"
+	"github.com/kolide/launcher/ee/secureenclavesigner"
+	"github.com/kolide/launcher/pkg/backoff"
+	"github.com/vmihailenco/msgpack/v5"
+)
+
+var serverPubKeys = make(map[string]*ecdsa.PublicKey)
+
+func runSecureEnclave(args []string) error {
+	if len(args) < 2 {
+		return fmt.Errorf("not enough arguments, expect create_key <request> or sign <sign_request>")
+	}
+
+	if secureenclavesigner.Undertest {
+		if secureenclavesigner.TestServerPubKey == "" {
+			return fmt.Errorf("test server public key not set")
+		}
+
+		k, err := echelper.PublicB64DerToEcdsaKey([]byte(secureenclavesigner.TestServerPubKey))
+		if err != nil {
+			return fmt.Errorf("parsing test server public key: %w", err)
+		}
+
+		serverPubKeys[string(secureenclavesigner.TestServerPubKey)] = k
+	}
+
+	for _, keyStr := range []string{certs.K2EccServerCert, certs.ReviewEccServerCert, certs.LocalhostEccServerCert} {
+		key, err := echelper.PublicPemToEcdsaKey([]byte(keyStr))
+		if err != nil {
+			return fmt.Errorf("parsing server public key from pem: %w", err)
+		}
+
+		pubB64Der, err := echelper.PublicEcdsaToB64Der(key)
+		if err != nil {
+			return fmt.Errorf("marshalling server public key to b64 der: %w", err)
+		}
+
+		serverPubKeys[string(pubB64Der)] = key
+	}
+
+	switch args[0] {
+	case "create-key":
+		return createSecureEnclaveKey(args[1])
+
+	case "sign":
+		return signWithSecureEnclave(args[1])
+
+	default:
+		return fmt.Errorf("unknown command %s", args[0])
+	}
+}
+
+func createSecureEnclaveKey(requestB64 string) error {
+	b, err := base64.StdEncoding.DecodeString(requestB64)
+	if err != nil {
+		return fmt.Errorf("decoding b64 request: %w", err)
+	}
+
+	var request secureenclavesigner.Request
+	if err := msgpack.Unmarshal(b, &request); err != nil {
+		return fmt.Errorf("unmarshaling msgpack request: %w", err)
+	}
+
+	if err := verifySecureEnclaveChallenge(request); err != nil {
+		return fmt.Errorf("verifying challenge: %w", err)
+	}
+
+	secureEnclavePubKey, err := secureenclave.CreateKey()
+	if err != nil {
+		return fmt.Errorf("creating secure enclave key: %w", err)
+	}
+
+	secureEnclavePubDer, err := echelper.PublicEcdsaToB64Der(secureEnclavePubKey)
+	if err != nil {
+		return fmt.Errorf("marshalling public key to der: %w", err)
+	}
+
+	fmt.Println(string(secureEnclavePubDer))
+	return nil
+}
+
+func signWithSecureEnclave(signRequestB64 string) error {
+	b, err := base64.StdEncoding.DecodeString(signRequestB64)
+	if err != nil {
+		return fmt.Errorf("decoding b64 sign request: %w", err)
+	}
+
+	var signRequest secureenclavesigner.SignRequest
+	if err := msgpack.Unmarshal(b, &signRequest); err != nil {
+		return fmt.Errorf("unmarshaling msgpack sign request: %w", err)
+	}
+
+	if err := verifySecureEnclaveChallenge(signRequest.Request); err != nil {
+		return fmt.Errorf("verifying challenge: %w", err)
+	}
+
+	secureEnclavePubKey, err := echelper.PublicB64DerToEcdsaKey(signRequest.SecureEnclavePubKey)
+	if err != nil {
+		return fmt.Errorf("marshalling b64 der to public key: %w", err)
+	}
+
+	ses, err := secureenclave.New(secureEnclavePubKey)
+	if err != nil {
+		return fmt.Errorf("creating secure enclave signer: %w", err)
+	}
+	var sig []byte
+	backoff.WaitFor(func() error {
+		sig, err = ses.Sign(rand.Reader, signRequest.Digest, crypto.SHA256)
+		return err
+	}, 250*time.Millisecond, 2*time.Second)
+
+	if err != nil {
+		return fmt.Errorf("signing request: %w", err)
+	}
+
+	fmt.Print(base64.StdEncoding.EncodeToString(sig))
+	return nil
+}
+
+func verifySecureEnclaveChallenge(request secureenclavesigner.Request) error {
+	c, err := challenge.UnmarshalChallenge(request.Challenge)
+	if err != nil {
+		return fmt.Errorf("unmarshaling challenge: %w", err)
+	}
+
+	serverPubKey, ok := serverPubKeys[string(request.ServerPubKey)]
+	if !ok {
+		return fmt.Errorf("server public key not found")
+	}
+
+	if err := c.Verify(*serverPubKey); err != nil {
+		return fmt.Errorf("verifying challenge: %w", err)
+	}
+
+	// TODO verify time stamp
+	return nil
+}
diff --git a/cmd/launcher/secure_enclave_other.go b/cmd/launcher/secure_enclave_other.go
@@ -0,0 +1,10 @@
+//go:build !darwin
+// +build !darwin
+
+package main
+
+import "errors"
+
+func runSecureEnclave(args []string) error {
+	return errors.New("not implemented on non darwin platforms")
+}
diff --git a/cmd/launcher/secure_enclave_test.go b/cmd/launcher/secure_enclave_test.go
@@ -0,0 +1,204 @@
+//go:build darwin
+// +build darwin
+
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/kolide/kit/ulid"
+	"github.com/kolide/krypto/pkg/challenge"
+	"github.com/kolide/krypto/pkg/echelper"
+	"github.com/kolide/launcher/ee/secureenclavesigner"
+	"github.com/stretchr/testify/require"
+	"github.com/vmihailenco/msgpack/v5"
+)
+
+const (
+	testWrappedEnvVarKey = "SECURE_ENCLAVE_TEST_WRAPPED"
+	macOsAppResourceDir  = "../../ee/secureenclavesigner/test_app_resources"
+)
+
+// TestSecureEnclaveTestRunner creates a MacOS app with the binary of this packages tests, then signs the app with entitlements and runs the tests.
+// This is done because in order to access secure enclave to run tests, we need MacOS entitlements.
+// #nosec G306 -- Need readable files
+func TestSecureEnclaveTestRunner(t *testing.T) {
+	t.Parallel()
+
+	if os.Getenv("CI") != "" {
+		t.Skipf("\nskipping because %s env var was not empty, this is being run in a CI environment without access to secure enclave", testWrappedEnvVarKey)
+	}
+
+	if os.Getenv(testWrappedEnvVarKey) != "" {
+		t.Skipf("\nskipping because %s env var was not empty, this is the execution of the codesigned app with entitlements", testWrappedEnvVarKey)
+	}
+
+	t.Log("\nexecuting wrapped tests with codesigned app and entitlements")
+
+	// set up app bundle
+	rootDir := t.TempDir()
+	appRoot := filepath.Join(rootDir, "launcher_test.app")
+
+	// make required dirs krypto_test.app/Contents/MacOS and add files
+	require.NoError(t, os.MkdirAll(filepath.Join(appRoot, "Contents", "MacOS"), 0700))
+	copyFile(t, filepath.Join(macOsAppResourceDir, "Info.plist"), filepath.Join(appRoot, "Contents", "Info.plist"))
+	copyFile(t, filepath.Join(macOsAppResourceDir, "embedded.provisionprofile"), filepath.Join(appRoot, "Contents", "embedded.provisionprofile"))
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	// build an executable containing the tests into the app bundle
+	executablePath := filepath.Join(appRoot, "Contents", "MacOS", "launcher_test")
+	out, err := exec.CommandContext(ctx,
+		"go",
+		"test",
+		"-c",
+		"--cover",
+		"--race",
+		"./",
+		"-o",
+		executablePath,
+	).CombinedOutput()
+
+	require.NoError(t, ctx.Err())
+	require.NoError(t, err, string(out))
+
+	// sign app bundle
+	signApp(t, appRoot)
+
+	// run app bundle executable
+	cmd := exec.CommandContext(ctx, executablePath, "-test.v")
+	cmd.Env = append(os.Environ(), fmt.Sprintf("%s=%s", testWrappedEnvVarKey, "true"))
+	out, err = cmd.CombinedOutput()
+	require.NoError(t, ctx.Err())
+	require.NoError(t, err, string(out))
+
+	// ensure the test ran
+	require.Contains(t, string(out), "PASS: TestSecureEnclaveCmd")
+	require.NotContains(t, string(out), "FAIL")
+	t.Log(string(out))
+}
+
+func TestSecureEnclaveCmd(t *testing.T) {
+	t.Parallel()
+
+	if os.Getenv(testWrappedEnvVarKey) == "" {
+		t.Skipf("\nskipping because %s env var was empty, test not being run from codesigned app with entitlements", testWrappedEnvVarKey)
+	}
+
+	t.Log("\nrunning wrapped tests with codesigned app and entitlements")
+
+	oldStdout := os.Stdout
+	defer func() {
+		os.Stdout = oldStdout
+	}()
+
+	// create a test server private key
+	testServerPrivKey, err := echelper.GenerateEcdsaKey()
+	require.NoError(t, err)
+
+	testServerPubKeyB64Der, err := echelper.PublicEcdsaToB64Der(&testServerPrivKey.PublicKey)
+	require.NoError(t, err)
+
+	// add the test server private key to the map of server public keys
+	serverPubKeys[string(testServerPubKeyB64Der)] = &testServerPrivKey.PublicKey
+
+	someData := []byte(ulid.New())
+	challenge, _, err := challenge.Generate(testServerPrivKey, someData, someData, someData)
+	require.NoError(t, err)
+
+	requestBytes, err := msgpack.Marshal(secureenclavesigner.Request{
+		Challenge:    challenge,
+		ServerPubKey: testServerPubKeyB64Der,
+	})
+	require.NoError(t, err)
+
+	// create a pipe to capture stdout
+	pipeReader, pipeWriter, err := os.Pipe()
+	require.NoError(t, err)
+
+	os.Stdout = pipeWriter
+
+	require.NoError(t, runSecureEnclave([]string{"create-key", base64.StdEncoding.EncodeToString(requestBytes)}))
+	require.NoError(t, pipeWriter.Close())
+
+	var buf bytes.Buffer
+	_, err = buf.ReadFrom(pipeReader)
+	require.NoError(t, err)
+
+	// convert response to public key
+	createKeyResponse := buf.Bytes()
+	secureEnclavePubKey, err := echelper.PublicB64DerToEcdsaKey(createKeyResponse)
+	require.NoError(t, err)
+	require.NotNil(t, secureEnclavePubKey, "should be able to get public key")
+
+	dataToSign := []byte(ulid.New())
+	digest, err := echelper.HashForSignature(dataToSign)
+	require.NoError(t, err)
+
+	signRequestBytes, err := msgpack.Marshal(secureenclavesigner.SignRequest{
+		Request: secureenclavesigner.Request{
+			Challenge:    challenge,
+			ServerPubKey: testServerPubKeyB64Der,
+		},
+		Digest:              digest,
+		SecureEnclavePubKey: createKeyResponse,
+	})
+	require.NoError(t, err)
+
+	pipeReader, pipeWriter, err = os.Pipe()
+	require.NoError(t, err)
+
+	os.Stdout = pipeWriter
+	require.NoError(t, runSecureEnclave([]string{"sign", base64.StdEncoding.EncodeToString(signRequestBytes)}))
+	require.NoError(t, pipeWriter.Close())
+
+	buf = bytes.Buffer{}
+	_, err = buf.ReadFrom(pipeReader)
+	require.NoError(t, err)
+
+	sig, err := base64.StdEncoding.DecodeString(string(buf.Bytes()))
+	require.NoError(t, err)
+
+	require.NoError(t, echelper.VerifySignature(secureEnclavePubKey, dataToSign, sig))
+}
+
+// #nosec G306 -- Need readable files
+func copyFile(t *testing.T, source, destination string) {
+	bytes, err := os.ReadFile(source)
+	require.NoError(t, err)
+	require.NoError(t, os.WriteFile(destination, bytes, 0700))
+}
+
+// #nosec G204 -- This triggers due to using env var in cmd, making exception for test
+func signApp(t *testing.T, appRootDir string) {
+	codeSignId := os.Getenv("MACOS_CODESIGN_IDENTITY")
+	require.NotEmpty(t, codeSignId, "need MACOS_CODESIGN_IDENTITY env var to sign app, such as [Mac Developer: Jane Doe (ABCD123456)]")
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	cmd := exec.CommandContext(
+		ctx,
+		"codesign",
+		"--deep",
+		"--force",
+		"--options", "runtime",
+		"--entitlements", filepath.Join(macOsAppResourceDir, "entitlements"),
+		"--sign", codeSignId,
+		"--timestamp",
+		appRootDir,
+	)
+
+	out, err := cmd.CombinedOutput()
+	require.NoError(t, ctx.Err())
+	require.NoError(t, err, string(out))
+}