From cd9364fa67be49871bb17243fd0c96cf3221b09e Mon Sep 17 00:00:00 2001 From: Jack Doan Date: Tue, 8 Oct 2024 10:41:48 -0400 Subject: [PATCH] Add TBSCertificate.SignWith to abstract out sources-of-signatures (#1233) * Add TBSCertificate.SignWith to abstract out sources-of-signatures * consistent signatures * eliminate SignPkcs11 * update comment --- cert/sign.go | 72 +++++++++++++++++++---------------------- cmd/nebula-cert/ca.go | 2 +- cmd/nebula-cert/sign.go | 4 +-- 3 files changed, 36 insertions(+), 42 deletions(-) diff --git a/cert/sign.go b/cert/sign.go index 2f768d4ec..741049d6d 100644 --- a/cert/sign.go +++ b/cert/sign.go @@ -11,8 +11,6 @@ import ( "net/netip" "slices" "time" - - "github.com/slackhq/nebula/pkclient" ) // TBSCertificate represents a certificate intended to be signed. @@ -42,22 +40,45 @@ type beingSignedCertificate interface { setSignature([]byte) error } +type SignerLambda func(certBytes []byte) ([]byte, error) + // Sign will create a sealed certificate using details provided by the TBSCertificate as long as those // details do not violate constraints of the signing certificate. // If the TBSCertificate is a CA then signer must be nil. func (t *TBSCertificate) Sign(signer Certificate, curve Curve, key []byte) (Certificate, error) { - return t.sign(signer, curve, key, nil) -} - -func (t *TBSCertificate) SignPkcs11(signer Certificate, curve Curve, client *pkclient.PKClient) (Certificate, error) { - if curve != Curve_P256 { - return nil, fmt.Errorf("only P256 is supported by PKCS#11") + switch t.Curve { + case Curve_CURVE25519: + pk := ed25519.PrivateKey(key) + sp := func(certBytes []byte) ([]byte, error) { + sig := ed25519.Sign(pk, certBytes) + return sig, nil + } + return t.SignWith(signer, curve, sp) + case Curve_P256: + pk := &ecdsa.PrivateKey{ + PublicKey: ecdsa.PublicKey{ + Curve: elliptic.P256(), + }, + // ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L95 + D: new(big.Int).SetBytes(key), + } + // ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L119 + pk.X, pk.Y = pk.Curve.ScalarBaseMult(key) + sp := func(certBytes []byte) ([]byte, error) { + // We need to hash first for ECDSA + // - https://pkg.go.dev/crypto/ecdsa#SignASN1 + hashed := sha256.Sum256(certBytes) + return ecdsa.SignASN1(rand.Reader, pk, hashed[:]) + } + return t.SignWith(signer, curve, sp) + default: + return nil, fmt.Errorf("invalid curve: %s", t.Curve) } - - return t.sign(signer, curve, nil, client) } -func (t *TBSCertificate) sign(signer Certificate, curve Curve, key []byte, client *pkclient.PKClient) (Certificate, error) { +// SignWith does the same thing as sign, but uses the function in `sp` to calculate the signature. +// You should only use SignWith if you do not have direct access to your private key. +func (t *TBSCertificate) SignWith(signer Certificate, curve Curve, sp SignerLambda) (Certificate, error) { if curve != t.Curve { return nil, fmt.Errorf("curve in cert and private key supplied don't match") } @@ -112,34 +133,7 @@ func (t *TBSCertificate) sign(signer Certificate, curve Curve, key []byte, clien return nil, err } - var sig []byte - switch t.Curve { - case Curve_CURVE25519: - signer := ed25519.PrivateKey(key) - sig = ed25519.Sign(signer, certBytes) - case Curve_P256: - if client != nil { - sig, err = client.SignASN1(certBytes) - } else { - signer := &ecdsa.PrivateKey{ - PublicKey: ecdsa.PublicKey{ - Curve: elliptic.P256(), - }, - // ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L95 - D: new(big.Int).SetBytes(key), - } - // ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L119 - signer.X, signer.Y = signer.Curve.ScalarBaseMult(key) - - // We need to hash first for ECDSA - // - https://pkg.go.dev/crypto/ecdsa#SignASN1 - hashed := sha256.Sum256(certBytes) - sig, err = ecdsa.SignASN1(rand.Reader, signer, hashed[:]) - } - default: - return nil, fmt.Errorf("invalid curve: %s", t.Curve) - } - + sig, err := sp(certBytes) if err != nil { return nil, err } diff --git a/cmd/nebula-cert/ca.go b/cmd/nebula-cert/ca.go index 7548e2124..f83c94fb4 100644 --- a/cmd/nebula-cert/ca.go +++ b/cmd/nebula-cert/ca.go @@ -272,7 +272,7 @@ func ca(args []string, out io.Writer, errOut io.Writer, pr PasswordReader) error var b []byte if isP11 { - c, err = t.SignPkcs11(nil, curve, p11Client) + c, err = t.SignWith(nil, curve, p11Client.SignASN1) if err != nil { return fmt.Errorf("error while signing with PKCS#11: %w", err) } diff --git a/cmd/nebula-cert/sign.go b/cmd/nebula-cert/sign.go index 6ac045214..253ef864e 100644 --- a/cmd/nebula-cert/sign.go +++ b/cmd/nebula-cert/sign.go @@ -316,7 +316,7 @@ func signCert(args []string, out io.Writer, errOut io.Writer, pr PasswordReader) return fmt.Errorf("error while signing: %w", err) } } else { - nc, err = t.SignPkcs11(caCert, curve, p11Client) + nc, err = t.SignWith(caCert, curve, p11Client.SignASN1) if err != nil { return fmt.Errorf("error while signing with PKCS#11: %w", err) } @@ -346,7 +346,7 @@ func signCert(args []string, out io.Writer, errOut io.Writer, pr PasswordReader) return fmt.Errorf("error while signing: %w", err) } } else { - nc, err = t.SignPkcs11(caCert, curve, p11Client) + nc, err = t.SignWith(caCert, curve, p11Client.SignASN1) if err != nil { return fmt.Errorf("error while signing with PKCS#11: %w", err) }