mirror of
https://github.com/maxgoedjen/secretive.git
synced 2026-03-06 17:57:23 +01:00
WIP
This commit is contained in:
Max Goedjen
@@ -31,49 +31,27 @@ public final class Agent: Sendable {
|
||||
|
||||
extension Agent {
|
||||
|
||||
/// Handles an incoming request.
|
||||
/// - Parameters:
|
||||
/// - data: The data to handle.
|
||||
/// - provenance: The origin of the request.
|
||||
/// - Returns: A response data payload.
|
||||
public func handle(data: Data, provenance: SigningRequestProvenance) async throws -> Data {
|
||||
logger.debug("Agent handling new data")
|
||||
guard data.count > 4 else {
|
||||
throw InvalidDataProvidedError()
|
||||
}
|
||||
let requestTypeInt = data[4]
|
||||
guard let requestType = SSHAgent.RequestType(rawValue: requestTypeInt) else {
|
||||
logger.debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription) for unknown request type \(requestTypeInt)")
|
||||
return SSHAgent.ResponseType.agentFailure.data.lengthAndData
|
||||
}
|
||||
logger.debug("Agent handling request of type \(requestType.debugDescription)")
|
||||
let subData = Data(data[5...])
|
||||
let response = await handle(requestType: requestType, data: subData, provenance: provenance)
|
||||
return response
|
||||
}
|
||||
|
||||
private func handle(requestType: SSHAgent.RequestType, data: Data, provenance: SigningRequestProvenance) async -> Data {
|
||||
public func handle(request: SSHAgent.Request, provenance: SigningRequestProvenance) async -> Data {
|
||||
// Depending on the launch context (such as after macOS update), the agent may need to reload secrets before acting
|
||||
await reloadSecretsIfNeccessary()
|
||||
var response = Data()
|
||||
do {
|
||||
switch requestType {
|
||||
switch request {
|
||||
case .requestIdentities:
|
||||
response.append(SSHAgent.ResponseType.agentIdentitiesAnswer.data)
|
||||
response.append(SSHAgent.Response.agentIdentitiesAnswer.data)
|
||||
response.append(await identities())
|
||||
logger.debug("Agent returned \(SSHAgent.ResponseType.agentIdentitiesAnswer.debugDescription)")
|
||||
case .signRequest:
|
||||
response.append(SSHAgent.ResponseType.agentSignResponse.data)
|
||||
response.append(try await sign(data: data, provenance: provenance))
|
||||
logger.debug("Agent returned \(SSHAgent.ResponseType.agentSignResponse.debugDescription)")
|
||||
logger.debug("Agent returned \(SSHAgent.Response.agentIdentitiesAnswer.debugDescription)")
|
||||
case .signRequest(let context):
|
||||
response.append(SSHAgent.Response.agentSignResponse.data)
|
||||
response.append(try await sign(data: context.dataToSign, keyBlob: context.keyBlob, provenance: provenance))
|
||||
logger.debug("Agent returned \(SSHAgent.Response.agentSignResponse.debugDescription)")
|
||||
default:
|
||||
logger.debug("Agent received valid request of type \(requestType.debugDescription), but not currently supported.")
|
||||
response.append(SSHAgent.ResponseType.agentFailure.data)
|
||||
|
||||
logger.debug("Agent received valid request of type \(request.debugDescription), but not currently supported.")
|
||||
throw UnhandledRequestError()
|
||||
}
|
||||
} catch {
|
||||
response = SSHAgent.ResponseType.agentFailure.data
|
||||
logger.debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
|
||||
response = SSHAgent.Response.agentFailure.data
|
||||
logger.debug("Agent returned \(SSHAgent.Response.agentFailure.debugDescription)")
|
||||
}
|
||||
return response.lengthAndData
|
||||
}
|
||||
@@ -113,27 +91,23 @@ extension Agent {
|
||||
/// - data: The data to sign.
|
||||
/// - provenance: A ``SecretKit.SigningRequestProvenance`` object describing the origin of the request.
|
||||
/// - Returns: An OpenSSH formatted Data payload containing the signed data response.
|
||||
func sign(data: Data, provenance: SigningRequestProvenance) async throws -> Data {
|
||||
let reader = OpenSSHReader(data: data)
|
||||
let payloadHash = try reader.readNextChunk()
|
||||
let hash: Data
|
||||
|
||||
func sign(data: Data, keyBlob: Data, provenance: SigningRequestProvenance) async throws -> Data {
|
||||
// Check if hash is actually an openssh certificate and reconstruct the public key if it is
|
||||
if let certificatePublicKey = await certificateHandler.publicKeyHash(from: payloadHash) {
|
||||
hash = certificatePublicKey
|
||||
let resolvedBlob: Data
|
||||
if let certificatePublicKey = await certificateHandler.publicKeyHash(from: keyBlob) {
|
||||
resolvedBlob = certificatePublicKey
|
||||
} else {
|
||||
hash = payloadHash
|
||||
resolvedBlob = keyBlob
|
||||
}
|
||||
|
||||
guard let (secret, store) = await secret(matching: hash) else {
|
||||
logger.debug("Agent did not have a key matching \(hash as NSData)")
|
||||
guard let (secret, store) = await secret(matching: resolvedBlob) else {
|
||||
logger.debug("Agent did not have a key matching \(resolvedBlob as NSData)")
|
||||
throw NoMatchingKeyError()
|
||||
}
|
||||
|
||||
try await witness?.speakNowOrForeverHoldYourPeace(forAccessTo: secret, from: store, by: provenance)
|
||||
|
||||
let dataToSign = try reader.readNextChunk()
|
||||
let rawRepresentation = try await store.sign(data: dataToSign, with: secret, for: provenance)
|
||||
let rawRepresentation = try await store.sign(data: data, with: secret, for: provenance)
|
||||
let signedData = signatureWriter.data(secret: secret, signature: rawRepresentation)
|
||||
|
||||
try await witness?.witness(accessTo: secret, from: store, by: provenance)
|
||||
@@ -172,16 +146,16 @@ extension Agent {
|
||||
|
||||
extension Agent {
|
||||
|
||||
struct InvalidDataProvidedError: Error {}
|
||||
struct NoMatchingKeyError: Error {}
|
||||
struct UnhandledRequestError: Error {}
|
||||
|
||||
}
|
||||
|
||||
extension SSHAgent.ResponseType {
|
||||
extension SSHAgent.Response {
|
||||
|
||||
var data: Data {
|
||||
var raw = self.rawValue
|
||||
return Data(bytes: &raw, count: UInt8.bitWidth/8)
|
||||
return Data(bytes: &raw, count: MemoryLayout<UInt8>.size)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,26 +1,6 @@
|
||||
import Foundation
|
||||
|
||||
/// Protocol abstraction of the reading aspects of FileHandle.
|
||||
public protocol FileHandleReader: Sendable {
|
||||
|
||||
/// Gets data that is available for reading.
|
||||
var availableData: Data { get }
|
||||
/// A file descriptor of the handle.
|
||||
var fileDescriptor: Int32 { get }
|
||||
/// The process ID of the process coonnected to the other end of the FileHandle.
|
||||
var pidOfConnectedProcess: Int32 { get }
|
||||
|
||||
}
|
||||
|
||||
/// Protocol abstraction of the writing aspects of FileHandle.
|
||||
public protocol FileHandleWriter: Sendable {
|
||||
|
||||
/// Writes data to the handle.
|
||||
func write(_ data: Data)
|
||||
|
||||
}
|
||||
|
||||
extension FileHandle: FileHandleReader, FileHandleWriter {
|
||||
extension FileHandle {
|
||||
|
||||
public var pidOfConnectedProcess: Int32 {
|
||||
let pidPointer = UnsafeMutableRawPointer.allocate(byteCount: MemoryLayout<Int32>.size, alignment: 1)
|
||||
|
||||
@@ -0,0 +1,76 @@
|
||||
import Foundation
|
||||
import OSLog
|
||||
import SecretKit
|
||||
|
||||
public protocol SSHAgentInputParserProtocol: Sendable {
|
||||
func parse(data: Data) async throws -> SSHAgent.Request
|
||||
}
|
||||
|
||||
public struct SSHAgentInputParser: SSHAgentInputParserProtocol {
|
||||
|
||||
private let logger = Logger(subsystem: "com.maxgoedjen.secretive.secretagent", category: "InputParser")
|
||||
|
||||
public init() {
|
||||
|
||||
}
|
||||
|
||||
public func parse(data: Data) async throws -> SSHAgent.Request {
|
||||
logger.debug("Parsing new data")
|
||||
guard data.count > 4 else {
|
||||
throw InvalidDataProvidedError()
|
||||
}
|
||||
let specifiedLength = (data[0..<4].bytes.unsafeLoad(as: UInt32.self).bigEndian) + 4
|
||||
let rawRequestInt = data[4]
|
||||
let remainingDataRange = 4..<min(Int(specifiedLength), data.count)
|
||||
lazy var body: Data = { Data(data[remainingDataRange]) }()
|
||||
switch rawRequestInt {
|
||||
case SSHAgent.Request.requestIdentities.protocolID:
|
||||
return .requestIdentities
|
||||
case SSHAgent.Request.signRequest(.empty).protocolID:
|
||||
return .signRequest(try signatureRequestContext(from: body))
|
||||
case SSHAgent.Request.addIdentity.protocolID:
|
||||
return .addIdentity
|
||||
case SSHAgent.Request.removeIdentity.protocolID:
|
||||
return .removeIdentity
|
||||
case SSHAgent.Request.removeAllIdentities.protocolID:
|
||||
return .removeAllIdentities
|
||||
case SSHAgent.Request.addIDConstrained.protocolID:
|
||||
return .addIDConstrained
|
||||
case SSHAgent.Request.addSmartcardKey.protocolID:
|
||||
return .addSmartcardKey
|
||||
case SSHAgent.Request.removeSmartcardKey.protocolID:
|
||||
return .removeSmartcardKey
|
||||
case SSHAgent.Request.lock.protocolID:
|
||||
return .lock
|
||||
case SSHAgent.Request.unlock.protocolID:
|
||||
return .unlock
|
||||
case SSHAgent.Request.addSmartcardKeyConstrained.protocolID:
|
||||
return .addSmartcardKeyConstrained
|
||||
case SSHAgent.Request.protocolExtension.protocolID:
|
||||
return .protocolExtension
|
||||
default:
|
||||
return .unknown(rawRequestInt)
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
extension SSHAgentInputParser {
|
||||
|
||||
func signatureRequestContext(from data: Data) throws -> SSHAgent.Request.SignatureRequestContext {
|
||||
let reader = OpenSSHReader(data: data)
|
||||
let keyBlob = try reader.readNextChunk()
|
||||
let dataToSign = try reader.readNextChunk()
|
||||
return SSHAgent.Request.SignatureRequestContext(keyBlob: keyBlob, dataToSign: dataToSign)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
extension SSHAgentInputParser {
|
||||
|
||||
struct AgentUnknownRequestError: Error {}
|
||||
struct AgentUnhandledRequestError: Error {}
|
||||
struct InvalidDataProvidedError: Error {}
|
||||
|
||||
}
|
||||
@@ -6,21 +6,39 @@ public enum SSHAgent {}
|
||||
extension SSHAgent {
|
||||
|
||||
/// The type of the SSH Agent Request, as described in https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent#section-5.1
|
||||
public enum RequestType: UInt8, CustomDebugStringConvertible {
|
||||
public enum Request: CustomDebugStringConvertible, Codable {
|
||||
|
||||
case requestIdentities = 11
|
||||
case signRequest = 13
|
||||
case addIdentity = 17
|
||||
case removeIdentity = 18
|
||||
case removeAllIdentities = 19
|
||||
case addIDConstrained = 25
|
||||
case addSmartcardKey = 20
|
||||
case removeSmartcardKey = 21
|
||||
case lock = 22
|
||||
case unlock = 23
|
||||
case addSmartcardKeyConstrained = 26
|
||||
case protocolExtension = 27
|
||||
case requestIdentities
|
||||
case signRequest(SignatureRequestContext)
|
||||
case addIdentity
|
||||
case removeIdentity
|
||||
case removeAllIdentities
|
||||
case addIDConstrained
|
||||
case addSmartcardKey
|
||||
case removeSmartcardKey
|
||||
case lock
|
||||
case unlock
|
||||
case addSmartcardKeyConstrained
|
||||
case protocolExtension
|
||||
case unknown(UInt8)
|
||||
|
||||
public var protocolID: UInt8 {
|
||||
switch self {
|
||||
case .requestIdentities: 11
|
||||
case .signRequest: 13
|
||||
case .addIdentity: 17
|
||||
case .removeIdentity: 18
|
||||
case .removeAllIdentities: 19
|
||||
case .addIDConstrained: 25
|
||||
case .addSmartcardKey: 20
|
||||
case .removeSmartcardKey: 21
|
||||
case .lock: 22
|
||||
case .unlock: 23
|
||||
case .addSmartcardKeyConstrained: 26
|
||||
case .protocolExtension: 27
|
||||
case .unknown(let value): value
|
||||
}
|
||||
}
|
||||
|
||||
public var debugDescription: String {
|
||||
switch self {
|
||||
@@ -36,12 +54,28 @@ extension SSHAgent {
|
||||
case .unlock: "SSH_AGENTC_UNLOCK"
|
||||
case .addSmartcardKeyConstrained: "SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED"
|
||||
case .protocolExtension: "SSH_AGENTC_EXTENSION"
|
||||
case .unknown: "UNKNOWN_MESSAGE"
|
||||
}
|
||||
}
|
||||
|
||||
public struct SignatureRequestContext: Sendable, Codable {
|
||||
public let keyBlob: Data
|
||||
public let dataToSign: Data
|
||||
|
||||
public init(keyBlob: Data, dataToSign: Data) {
|
||||
self.keyBlob = keyBlob
|
||||
self.dataToSign = dataToSign
|
||||
}
|
||||
|
||||
public static var empty: SignatureRequestContext {
|
||||
SignatureRequestContext(keyBlob: Data(), dataToSign: Data())
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/// The type of the SSH Agent Response, as described in https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent#section-5.1
|
||||
public enum ResponseType: UInt8, CustomDebugStringConvertible {
|
||||
public enum Response: UInt8, CustomDebugStringConvertible {
|
||||
|
||||
case agentFailure = 5
|
||||
case agentSuccess = 6
|
||||
|
||||
@@ -13,9 +13,8 @@ extension SigningRequestTracer {
|
||||
/// Generates a ``SecretKit.SigningRequestProvenance`` from a ``FileHandleReader``.
|
||||
/// - Parameter fileHandleReader: The reader involved in processing the request.
|
||||
/// - Returns: A ``SecretKit.SigningRequestProvenance`` describing the origin of the request.
|
||||
func provenance(from fileHandleReader: FileHandleReader) -> SigningRequestProvenance {
|
||||
let firstInfo = process(from: fileHandleReader.pidOfConnectedProcess)
|
||||
|
||||
func provenance(from fileHandle: FileHandle) -> SigningRequestProvenance {
|
||||
let firstInfo = process(from: fileHandle.pidOfConnectedProcess)
|
||||
var provenance = SigningRequestProvenance(root: firstInfo)
|
||||
while NSRunningApplication(processIdentifier: provenance.origin.pid) == nil && provenance.origin.parentPID != nil {
|
||||
provenance.chain.append(process(from: provenance.origin.parentPID!))
|
||||
|
||||
Reference in New Issue
Block a user