secretive/SecretAgentKit/Agent.swift

170 lines
5.7 KiB
Swift
Raw Normal View History

2020-03-04 07:14:38 +00:00
import Foundation
import CryptoKit
import OSLog
import SecretKit
2020-03-17 07:56:55 +00:00
import SecretAgentKit
import AppKit
2020-03-04 07:14:38 +00:00
public class Agent {
2020-03-04 07:14:38 +00:00
2020-03-09 04:11:59 +00:00
fileprivate let storeList: SecretStoreList
fileprivate let witness: SigningWitness?
fileprivate let writer = OpenSSHKeyWriter()
2020-03-17 07:56:55 +00:00
fileprivate let requestTracer = SigningRequestTracer()
2020-03-04 07:14:38 +00:00
public init(storeList: SecretStoreList, witness: SigningWitness? = nil) {
2020-03-04 07:14:38 +00:00
os_log(.debug, "Agent is running")
2020-03-09 04:11:59 +00:00
self.storeList = storeList
self.witness = witness
2020-03-04 07:14:38 +00:00
}
}
extension Agent {
public func handle(fileHandle: FileHandle) {
2020-03-04 07:14:38 +00:00
os_log(.debug, "Agent handling new data")
let data = fileHandle.availableData
guard !data.isEmpty else { return }
let requestTypeInt = data[4]
guard let requestType = SSHAgent.RequestType(rawValue: requestTypeInt) else { return }
os_log(.debug, "Agent handling request of type %@", requestType.debugDescription)
let subData = Data(data[5...])
handle(requestType: requestType, data: subData, fileHandle: fileHandle)
}
func handle(requestType: SSHAgent.RequestType, data: Data, fileHandle: FileHandle) {
var response = Data()
do {
switch requestType {
case .requestIdentities:
response.append(SSHAgent.ResponseType.agentIdentitiesAnswer.data)
response.append(try identities())
os_log(.debug, "Agent returned %@", SSHAgent.ResponseType.agentIdentitiesAnswer.debugDescription)
case .signRequest:
response.append(SSHAgent.ResponseType.agentSignResponse.data)
2020-03-17 07:56:55 +00:00
response.append(try sign(data: data, from: fileHandle.fileDescriptor))
2020-03-04 07:14:38 +00:00
os_log(.debug, "Agent returned %@", SSHAgent.ResponseType.agentSignResponse.debugDescription)
}
} catch {
response.removeAll()
response.append(SSHAgent.ResponseType.agentFailure.data)
os_log(.debug, "Agent returned %@", SSHAgent.ResponseType.agentFailure.debugDescription)
}
let full = OpenSSHKeyWriter().lengthAndData(of: response)
fileHandle.write(full)
}
}
extension Agent {
func identities() throws -> Data {
2020-03-15 02:40:03 +00:00
// TODO: RESTORE ONCE XCODE 11.4 IS GM
let secrets = storeList.stores.flatMap { $0.secrets }
// let secrets = storeList.stores.flatMap(\.secrets)
2020-03-09 04:11:59 +00:00
var count = UInt32(secrets.count).bigEndian
2020-03-04 07:14:38 +00:00
let countData = Data(bytes: &count, count: UInt32.bitWidth/8)
var keyData = Data()
let writer = OpenSSHKeyWriter()
2020-03-09 04:11:59 +00:00
for secret in secrets {
2020-03-04 07:14:38 +00:00
let keyBlob = writer.data(secret: secret)
keyData.append(writer.lengthAndData(of: keyBlob))
let curveData = writer.curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!
2020-03-04 07:14:38 +00:00
keyData.append(writer.lengthAndData(of: curveData))
}
2020-03-09 04:11:59 +00:00
os_log(.debug, "Agent enumerated %@ identities", secrets.count as NSNumber)
2020-03-04 07:14:38 +00:00
return countData + keyData
}
2020-03-17 07:56:55 +00:00
func sign(data: Data, from pid: Int32) throws -> Data {
2020-03-04 07:14:38 +00:00
let reader = OpenSSHReader(data: data)
let hash = try reader.readNextChunk()
guard let (store, secret) = secret(matching: hash) else {
os_log(.debug, "Agent did not have a key matching %@", hash as NSData)
2020-03-04 07:14:38 +00:00
throw AgentError.noMatchingKey
}
2020-03-17 07:56:55 +00:00
let provenance = requestTracer.provenance(from: pid)
if let witness = witness {
2020-03-19 03:04:24 +00:00
try witness.speakNowOrForeverHoldYourPeace(forAccessTo: secret, by: provenance)
}
2020-03-04 07:14:38 +00:00
let dataToSign = try reader.readNextChunk()
let derSignature = try store.sign(data: dataToSign, with: secret)
let curveData = writer.curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!
2020-03-04 07:14:38 +00:00
// Convert from DER formatted rep to raw (r||s)
let rawRepresentation: Data
switch (secret.algorithm, secret.keySize) {
case (.ellipticCurve, 256):
rawRepresentation = try CryptoKit.P256.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
case (.ellipticCurve, 384):
rawRepresentation = try CryptoKit.P384.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
default:
fatalError()
}
let rawLength = rawRepresentation.count/2
let r = rawRepresentation[0..<rawLength]
let s = rawRepresentation[rawLength...]
2020-03-04 07:14:38 +00:00
var signatureChunk = Data()
signatureChunk.append(writer.lengthAndData(of: r))
signatureChunk.append(writer.lengthAndData(of: s))
var signedData = Data()
var sub = Data()
sub.append(writer.lengthAndData(of: curveData))
sub.append(writer.lengthAndData(of: signatureChunk))
signedData.append(writer.lengthAndData(of: sub))
2020-03-19 03:04:24 +00:00
if let witness = witness {
try witness.witness(accessTo: secret, by: provenance)
}
2020-03-04 07:14:38 +00:00
os_log(.debug, "Agent signed request")
return signedData
}
}
extension Agent {
func secret(matching hash: Data) -> (AnySecretStore, AnySecret)? {
storeList.stores.compactMap { store -> (AnySecretStore, AnySecret)? in
let allMatching = store.secrets.filter { secret in
hash == writer.data(secret: secret)
}
if let matching = allMatching.first {
return (store, matching)
}
return nil
}.first
}
}
2020-03-04 07:14:38 +00:00
extension Agent {
enum AgentError: Error {
case unhandledType
case noMatchingKey
}
}
extension SSHAgent.ResponseType {
var data: Data {
var raw = self.rawValue
return Data(bytes: &raw, count: UInt8.bitWidth/8)
}
}