From 6dd5a18e962a7484ae89530704f6d2cc15d8e3c1 Mon Sep 17 00:00:00 2001 From: Mauro Morales Date: Thu, 23 May 2024 16:06:30 +0200 Subject: [PATCH] Bump sdk to v0.1.8 (#349) * Bump sdk to v0.1.8 Signed-off-by: Mauro Morales * Use new signing methods Signed-off-by: Mauro Morales --------- Signed-off-by: Mauro Morales --- go.mod | 4 ++-- go.sum | 8 ++++---- pkg/uki/common.go | 28 ++++++++++++++++++++++------ 3 files changed, 28 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 6c56ba29..8450f82e 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,7 @@ require ( github.com/hashicorp/go-multierror v1.1.1 github.com/jaypipes/ghw v0.12.0 github.com/joho/godotenv v1.5.1 - github.com/kairos-io/kairos-sdk v0.1.7 + github.com/kairos-io/kairos-sdk v0.1.8 github.com/kairos-io/kcrypt v0.11.1 github.com/labstack/echo/v4 v4.12.0 github.com/mitchellh/mapstructure v1.5.0 @@ -44,7 +44,7 @@ require ( require ( github.com/edsrzf/mmap-go v1.1.0 - github.com/foxboron/go-uefi v0.0.0-20240128152106-48be911532c2 + github.com/foxboron/go-uefi v0.0.0-20240522180132-205d5597883a github.com/google/go-github/v40 v40.0.0 github.com/saferwall/pe v1.5.3 github.com/twpayne/go-vfs/v4 v4.3.0 diff --git a/go.sum b/go.sum index d3d9b920..5d8e8e66 100644 --- a/go.sum +++ b/go.sum @@ -152,8 +152,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/erikgeiser/promptkit v0.9.0 h1:3qL1mS/ntCrXdb8sTP/ka82CJ9kEQaGuYXNrYJkWYBc= github.com/erikgeiser/promptkit v0.9.0/go.mod h1:pU9dtogSe3Jlc2AY77EP7R4WFP/vgD4v+iImC83KsCo= -github.com/foxboron/go-uefi v0.0.0-20240128152106-48be911532c2 h1:qGlg/7H49H30Eu7nkCBA7YxNmW30ephqBf7xIxlAGuQ= -github.com/foxboron/go-uefi v0.0.0-20240128152106-48be911532c2/go.mod h1:ffg/fkDeOYicEQLoO2yFFGt00KUTYVXI+rfnc8il6vQ= +github.com/foxboron/go-uefi v0.0.0-20240522180132-205d5597883a h1:Q/VIO3QAlaF95JqVVF39udInPR76lu02yrMDInavm8Q= +github.com/foxboron/go-uefi v0.0.0-20240522180132-205d5597883a/go.mod h1:ffg/fkDeOYicEQLoO2yFFGt00KUTYVXI+rfnc8il6vQ= github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= @@ -289,8 +289,8 @@ github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfV github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/jzelinskie/whirlpool v0.0.0-20201016144138-0675e54bb004 h1:G+9t9cEtnC9jFiTxyptEKuNIAbiN5ZCQzX2a74lj3xg= github.com/jzelinskie/whirlpool v0.0.0-20201016144138-0675e54bb004/go.mod h1:KmHnJWQrgEvbuy0vcvj00gtMqbvNn1L+3YUZLK/B92c= -github.com/kairos-io/kairos-sdk v0.1.7 h1:h2H1/sG4+4xEPh0zMFFtl4yEgzrXI8IDdDiQZe4ib6g= -github.com/kairos-io/kairos-sdk v0.1.7/go.mod h1:sR1X4B3F1nkaECQ1vdsJ78OIkfLfyB22/aIpdRQJ/Mo= +github.com/kairos-io/kairos-sdk v0.1.8 h1:TKigA+3Nmzn/NLztbLVBLacpx0cK1oJl1AoZarohU98= +github.com/kairos-io/kairos-sdk v0.1.8/go.mod h1:asSOyJanH10Cnxl9zx5RzyYNMhEworaiMh/7uRnS4GA= github.com/kairos-io/kcrypt v0.11.1 h1:azIX1QI5dEzVLvgftNleCY4AyklhTXewCoi4eTC7jhU= github.com/kairos-io/kcrypt v0.11.1/go.mod h1:Gz1izzOWwbnJwtq+XqiZQ8cPktWcDIKw03YM1PWAk4c= github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs= diff --git a/pkg/uki/common.go b/pkg/uki/common.go index 5168733a..5e1af2b7 100644 --- a/pkg/uki/common.go +++ b/pkg/uki/common.go @@ -1,6 +1,7 @@ package uki import ( + "bytes" "crypto/x509" "encoding/hex" "errors" @@ -10,10 +11,10 @@ import ( "strings" "github.com/edsrzf/mmap-go" + "github.com/foxboron/go-uefi/authenticode" "github.com/foxboron/go-uefi/efi" - "github.com/foxboron/go-uefi/efi/pecoff" - "github.com/foxboron/go-uefi/efi/pkcs7" "github.com/foxboron/go-uefi/efi/signature" + "github.com/foxboron/go-uefi/pkcs7" "github.com/kairos-io/kairos-agent/v2/pkg/constants" v1 "github.com/kairos-io/kairos-agent/v2/pkg/types/v1" fsutils "github.com/kairos-io/kairos-agent/v2/pkg/utils/fs" @@ -231,14 +232,19 @@ func checkArtifactSignatureIsValid(fs v1.FS, artifact string, logger sdkTypes.Ka logger.Logger.Debug().Str("what", artifact).Msg("Getting signatures from artifact") // Get signatures from the artifact - sigs, err := pecoff.GetSignatures(data) + binary, err := authenticode.Parse(bytes.NewReader(data)) if err != nil { return fmt.Errorf("%s: %w", artifact, err) } - if len(sigs) == 0 { + if binary.Datadir.Size == 0 { return fmt.Errorf("no signatures in the file %s", artifact) } + sigs, err := binary.Signatures() + if err != nil { + return fmt.Errorf("%s: %w", artifact, err) + } + logger.Logger.Debug().Str("what", artifact).Msg("Getting DBX certs") dbx, err := efi.Getdbx() if err != nil { @@ -271,7 +277,12 @@ func checkArtifactSignatureIsValid(fs v1.FS, artifact string, logger sdkTypes.Ka for _, sig := range sigs { for _, cert := range result { logger.Logger.Debug().Str("what", artifact).Str("subject", cert.Subject.CommonName).Msg("checking signature") - ok, _ := pkcs7.VerifySignature(cert, sig.Certificate) + p, err := pkcs7.ParsePKCS7(sig.Certificate) + if err != nil { + logger.Logger.Info().Str("error", err.Error()).Msg("parsing signature") + return err + } + ok, _ := p.Verify(cert) // If cert matches then it means its blacklisted so return error if ok { return fmt.Errorf("artifact is signed with a blacklisted cert") @@ -288,7 +299,12 @@ func checkArtifactSignatureIsValid(fs v1.FS, artifact string, logger sdkTypes.Ka for _, sig := range sigs { for _, cert := range dbCerts { logger.Logger.Debug().Str("what", artifact).Str("subject", cert.Subject.CommonName).Msg("checking signature") - ok, _ := pkcs7.VerifySignature(cert, sig.Certificate) + p, err := pkcs7.ParsePKCS7(sig.Certificate) + if err != nil { + logger.Logger.Info().Str("error", err.Error()).Msg("parsing signature") + return err + } + ok, _ := p.Verify(cert) if ok { logger.Logger.Info().Str("what", artifact).Str("subject", cert.Subject.CommonName).Msg("verified") return nil