Request Attribution (#59)

2026-03-05 09:24:49 +01:00 · 2020-03-17 00:56:55 -07:00
parent 4b66e874a7
commit 2b5fdf541d
7 changed files with 95 additions and 9 deletions
--- a/SecretAgentKit/Agent.swift
+++ b/SecretAgentKit/Agent.swift
@@ -2,12 +2,15 @@ import Foundation
 import CryptoKit
 import OSLog
 import SecretKit
+import SecretAgentKit
+import AppKit

 public class Agent {

    fileprivate let storeList: SecretStoreList
    fileprivate let witness: SigningWitness?
    fileprivate let writer = OpenSSHKeyWriter()
+    fileprivate let requestTracer = SigningRequestTracer()

    public init(storeList: SecretStoreList, witness: SigningWitness? = nil) {
        os_log(.debug, "Agent is running")
@@ -40,7 +43,7 @@ extension Agent {
                os_log(.debug, "Agent returned %@", SSHAgent.ResponseType.agentIdentitiesAnswer.debugDescription)
            case .signRequest:
                response.append(SSHAgent.ResponseType.agentSignResponse.data)
-                response.append(try sign(data: data))
+                response.append(try sign(data: data, from: fileHandle.fileDescriptor))
                os_log(.debug, "Agent returned %@", SSHAgent.ResponseType.agentSignResponse.debugDescription)
            }
        } catch {
@@ -74,7 +77,7 @@ extension Agent {
        return countData + keyData
    }

-    func sign(data: Data) throws -> Data {
+    func sign(data: Data, from pid: Int32) throws -> Data {
        let reader = OpenSSHReader(data: data)
        let hash = try reader.readNextChunk()
        guard let (store, secret) = secret(matching: hash) else {
@@ -82,8 +85,9 @@ extension Agent {
            throw AgentError.noMatchingKey
        }

+        let provenance = requestTracer.provenance(from: pid)
        if let witness = witness {
-            try witness.witness(accessTo: secret)
+            try witness.witness(accessTo: secret, by: provenance)
        }

        let dataToSign = try reader.readNextChunk()
--- a/SecretAgentKit/SigningRequestProvenance.swift
+++ b/SecretAgentKit/SigningRequestProvenance.swift
@@ -0,0 +1,39 @@
+import Foundation
+import AppKit
+
+public struct SigningRequestProvenance {
+
+    public var chain: [Process]
+    public init(root: Process) {
+        self.chain = [root]
+    }
+
+}
+
+extension SigningRequestProvenance {
+
+    public var origin: Process {
+        chain.last!
+    }
+
+}
+
+extension SigningRequestProvenance {
+
+    public struct Process {
+
+        public let pid: Int32
+        public let name: String
+        public let path: String
+        let parentPID: Int32?
+
+        init(pid: Int32, name: String, path: String, parentPID: Int32?) {
+            self.pid = pid
+            self.name = name
+            self.path = path
+            self.parentPID = parentPID
+        }
+
+    }
+
+}
--- a/SecretAgentKit/SigningRequestTracer.swift
+++ b/SecretAgentKit/SigningRequestTracer.swift
@@ -0,0 +1,35 @@
+import Foundation
+import AppKit
+
+struct SigningRequestTracer {
+
+    func provenance(from pid: Int32) -> SigningRequestProvenance {
+        let pidPointer = UnsafeMutableRawPointer.allocate(byteCount: 4, alignment: 1)
+        var len = socklen_t(MemoryLayout<Int32>.size)
+        getsockopt(pid, SOCK_STREAM, LOCAL_PEERPID, pidPointer, &len)
+        let pid = pidPointer.load(as: Int32.self)
+        let firstInfo = process(from: pid)
+
+        var provenance = SigningRequestProvenance(root: firstInfo)
+        while NSRunningApplication(processIdentifier: provenance.origin.pid) == nil && provenance.origin.parentPID != nil {
+            provenance.chain.append(process(from: provenance.origin.parentPID!))
+        }
+        return provenance
+    }
+
+    func pidAndNameInfo(from pid: Int32) -> kinfo_proc {
+        var len = MemoryLayout<kinfo_proc>.size
+        let infoPointer = UnsafeMutableRawPointer.allocate(byteCount: len, alignment: 1)
+        var name: [Int32] = [CTL_KERN, KERN_PROC, KERN_PROC_PID, pid]
+        sysctl(&name, UInt32(name.count), infoPointer, &len, nil, 0)
+        return infoPointer.load(as: kinfo_proc.self)
+    }
+
+    func process(from pid: Int32) -> SigningRequestProvenance.Process {
+        var pidAndNameInfo = self.pidAndNameInfo(from: pid)
+        let ppid = pidAndNameInfo.kp_eproc.e_ppid != 0 ? pidAndNameInfo.kp_eproc.e_ppid : nil
+        let procName = String(cString: &pidAndNameInfo.kp_proc.p_comm.0)
+        return SigningRequestProvenance.Process(pid: pid, name: procName, path: "", parentPID: ppid)
+    }
+
+}
--- a/SecretAgentKit/SigningWitness.swift
+++ b/SecretAgentKit/SigningWitness.swift
@@ -3,6 +3,6 @@ import SecretKit

 public protocol SigningWitness {

-    func witness(accessTo secret: AnySecret) throws
+    func witness(accessTo secret: AnySecret, by provenance: SigningRequestProvenance) throws

 }