WIP SPM

2026-03-23 17:47:24 +01:00 · 2021-12-08 23:21:41 -08:00
parent 6bb9fd376f
commit 4f6f097873
95 changed files with 90 additions and 2769 deletions
--- a/Sources/SecretAgentKit/Agent.swift
+++ b/Sources/SecretAgentKit/Agent.swift
@@ -0,0 +1,182 @@
+import Foundation
+import CryptoKit
+import OSLog
+import SecretKit
+import AppKit
+
+public class Agent {
+
+    private let storeList: SecretStoreList
+    private let witness: SigningWitness?
+    private let writer = OpenSSHKeyWriter()
+    private let requestTracer = SigningRequestTracer()
+
+    public init(storeList: SecretStoreList, witness: SigningWitness? = nil) {
+        Logger().debug("Agent is running")
+        self.storeList = storeList
+        self.witness = witness
+    }
+    
+}
+
+extension Agent {
+
+    public func handle(reader: FileHandleReader, writer: FileHandleWriter) {
+        Logger().debug("Agent handling new data")
+        let data = reader.availableData
+        guard !data.isEmpty else { return }
+        let requestTypeInt = data[4]
+        guard let requestType = SSHAgent.RequestType(rawValue: requestTypeInt) else {
+            writer.write(OpenSSHKeyWriter().lengthAndData(of: SSHAgent.ResponseType.agentFailure.data))
+            Logger().debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
+            return
+        }
+        Logger().debug("Agent handling request of type \(requestType.debugDescription)")
+        let subData = Data(data[5...])
+        let response = handle(requestType: requestType, data: subData, reader: reader)
+        writer.write(response)
+    }
+
+    func handle(requestType: SSHAgent.RequestType, data: Data, reader: FileHandleReader) -> Data {
+        var response = Data()
+        do {
+            switch requestType {
+            case .requestIdentities:
+                response.append(SSHAgent.ResponseType.agentIdentitiesAnswer.data)
+                response.append(identities())
+                Logger().debug("Agent returned \(SSHAgent.ResponseType.agentIdentitiesAnswer.debugDescription)")
+            case .signRequest:
+                let provenance = requestTracer.provenance(from: reader)
+                response.append(SSHAgent.ResponseType.agentSignResponse.data)
+                response.append(try sign(data: data, provenance: provenance))
+                Logger().debug("Agent returned \(SSHAgent.ResponseType.agentSignResponse.debugDescription)")
+            }
+        } catch {
+            response.removeAll()
+            response.append(SSHAgent.ResponseType.agentFailure.data)
+            Logger().debug("Agent returned \(SSHAgent.ResponseType.agentFailure.debugDescription)")
+        }
+        let full = OpenSSHKeyWriter().lengthAndData(of: response)
+        return full
+    }
+
+}
+
+extension Agent {
+
+    func identities() -> Data {
+        let secrets = storeList.stores.flatMap(\.secrets)
+        var count = UInt32(secrets.count).bigEndian
+        let countData = Data(bytes: &count, count: UInt32.bitWidth/8)
+        var keyData = Data()
+        let writer = OpenSSHKeyWriter()
+        for secret in secrets {
+            let keyBlob = writer.data(secret: secret)
+            keyData.append(writer.lengthAndData(of: keyBlob))
+            let curveData = writer.curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!
+            keyData.append(writer.lengthAndData(of: curveData))
+        }
+        Logger().debug("Agent enumerated \(secrets.count) identities")
+        return countData + keyData
+    }
+
+    func sign(data: Data, provenance: SigningRequestProvenance) throws -> Data {
+        let reader = OpenSSHReader(data: data)
+        let hash = reader.readNextChunk()
+        guard let (store, secret) = secret(matching: hash) else {
+            Logger().debug("Agent did not have a key matching \(hash as NSData)")
+            throw AgentError.noMatchingKey
+        }
+
+        if let witness = witness {
+            try witness.speakNowOrForeverHoldYourPeace(forAccessTo: secret, from: store, by: provenance)
+        }
+
+        let dataToSign = reader.readNextChunk()
+        let signed = try store.sign(data: dataToSign, with: secret, for: provenance)
+        let derSignature = signed.data
+
+        let curveData = writer.curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!
+
+        // Convert from DER formatted rep to raw (r||s)
+
+        let rawRepresentation: Data
+        switch (secret.algorithm, secret.keySize) {
+        case (.ellipticCurve, 256):
+            rawRepresentation = try CryptoKit.P256.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
+        case (.ellipticCurve, 384):
+            rawRepresentation = try CryptoKit.P384.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
+        default:
+            throw AgentError.unsupportedKeyType
+        }
+
+
+        let rawLength = rawRepresentation.count/2
+        // Check if we need to pad with 0x00 to prevent certain
+        // ssh servers from thinking r or s is negative
+        let paddingRange: ClosedRange<UInt8> = 0x80...0xFF
+        var r = Data(rawRepresentation[0..<rawLength])
+        if paddingRange ~= r.first! {
+            r.insert(0x00, at: 0)
+        }
+        var s = Data(rawRepresentation[rawLength...])
+        if paddingRange ~= s.first! {
+            s.insert(0x00, at: 0)
+        }
+
+        var signatureChunk = Data()
+        signatureChunk.append(writer.lengthAndData(of: r))
+        signatureChunk.append(writer.lengthAndData(of: s))
+
+        var signedData = Data()
+        var sub = Data()
+        sub.append(writer.lengthAndData(of: curveData))
+        sub.append(writer.lengthAndData(of: signatureChunk))
+        signedData.append(writer.lengthAndData(of: sub))
+
+        if let witness = witness {
+            try witness.witness(accessTo: secret, from: store, by: provenance, requiredAuthentication: signed.requiredAuthentication)
+        }
+
+        Logger().debug("Agent signed request")
+
+        return signedData
+    }
+
+}
+
+extension Agent {
+
+    func secret(matching hash: Data) -> (AnySecretStore, AnySecret)? {
+        storeList.stores.compactMap { store -> (AnySecretStore, AnySecret)? in
+            let allMatching = store.secrets.filter { secret in
+                hash == writer.data(secret: secret)
+            }
+            if let matching = allMatching.first {
+                return (store, matching)
+            }
+            return nil
+        }.first
+    }
+
+}
+
+
+extension Agent {
+
+    enum AgentError: Error {
+        case unhandledType
+        case noMatchingKey
+        case unsupportedKeyType
+    }
+
+}
+
+extension SSHAgent.ResponseType {
+
+    var data: Data {
+        var raw = self.rawValue
+        return  Data(bytes: &raw, count: UInt8.bitWidth/8)
+    }
+
+}
--- a/Sources/SecretAgentKit/FileHandleProtocols.swift
+++ b/Sources/SecretAgentKit/FileHandleProtocols.swift
@@ -0,0 +1,26 @@
+import Foundation
+
+public protocol FileHandleReader {
+
+    var availableData: Data { get }
+    var fileDescriptor: Int32 { get }
+    var pidOfConnectedProcess: Int32 { get }
+
+}
+
+public protocol FileHandleWriter {
+
+    func write(_ data: Data)
+
+}
+
+extension FileHandle: FileHandleReader, FileHandleWriter {
+
+    public var pidOfConnectedProcess: Int32 {
+        let pidPointer = UnsafeMutableRawPointer.allocate(byteCount: 4, alignment: 1)
+        var len = socklen_t(MemoryLayout<Int32>.size)
+        getsockopt(fileDescriptor, SOCK_STREAM, LOCAL_PEERPID, pidPointer, &len)
+        return pidPointer.load(as: Int32.self)
+    }
+
+}
--- a/Sources/SecretAgentKit/SSHAgentProtocol.swift
+++ b/Sources/SecretAgentKit/SSHAgentProtocol.swift
@@ -0,0 +1,38 @@
+import Foundation
+
+public enum SSHAgent {}
+
+extension SSHAgent {
+
+    public enum RequestType: UInt8, CustomDebugStringConvertible {
+        case requestIdentities = 11
+        case signRequest = 13
+
+        public var debugDescription: String {
+            switch self {
+            case .requestIdentities:
+                return "RequestIdentities"
+            case .signRequest:
+                return "SignRequest"
+            }
+        }
+    }
+
+    public enum ResponseType: UInt8, CustomDebugStringConvertible {
+        case agentFailure = 5
+        case agentIdentitiesAnswer = 12
+        case agentSignResponse = 14
+
+        public var debugDescription: String {
+            switch self {
+            case .agentFailure:
+                return "AgentFailure"
+            case .agentIdentitiesAnswer:
+                return "AgentIdentitiesAnswer"
+            case .agentSignResponse:
+                return "AgentSignResponse"
+            }
+        }
+    }
+    
+}
--- a/Sources/SecretAgentKit/SecretAgentKit.h
+++ b/Sources/SecretAgentKit/SecretAgentKit.h
@@ -0,0 +1,19 @@
+#import <Foundation/Foundation.h>
+#import <Security/Security.h>
+
+
+// Forward declarations
+
+// from libproc.h
+int proc_pidpath(int pid, void * buffer, uint32_t  buffersize);
+
+// from SecTask.h
+OSStatus SecCodeCreateWithPID(int32_t, SecCSFlags, SecCodeRef *);
+
+//! Project version number for SecretAgentKit.
+FOUNDATION_EXPORT double SecretAgentKitVersionNumber;
+
+//! Project version string for SecretAgentKit.
+FOUNDATION_EXPORT const unsigned char SecretAgentKitVersionString[];
+
+
--- a/Sources/SecretAgentKit/SigningRequestTracer.swift
+++ b/Sources/SecretAgentKit/SigningRequestTracer.swift
@@ -0,0 +1,60 @@
+import Foundation
+import AppKit
+import Security
+import SecretKit
+
+struct SigningRequestTracer {
+}
+
+extension SigningRequestTracer {
+
+    func provenance(from fileHandleReader: FileHandleReader) -> SigningRequestProvenance {
+        let firstInfo = process(from: fileHandleReader.pidOfConnectedProcess)
+
+        var provenance = SigningRequestProvenance(root: firstInfo)
+        while NSRunningApplication(processIdentifier: provenance.origin.pid) == nil && provenance.origin.parentPID != nil {
+            provenance.chain.append(process(from: provenance.origin.parentPID!))
+        }
+        return provenance
+    }
+
+    func pidAndNameInfo(from pid: Int32) -> kinfo_proc {
+        var len = MemoryLayout<kinfo_proc>.size
+        let infoPointer = UnsafeMutableRawPointer.allocate(byteCount: len, alignment: 1)
+        var name: [Int32] = [CTL_KERN, KERN_PROC, KERN_PROC_PID, pid]
+        sysctl(&name, UInt32(name.count), infoPointer, &len, nil, 0)
+        return infoPointer.load(as: kinfo_proc.self)
+    }
+
+    func process(from pid: Int32) -> SigningRequestProvenance.Process {
+        var pidAndNameInfo = self.pidAndNameInfo(from: pid)
+        let ppid = pidAndNameInfo.kp_eproc.e_ppid != 0 ? pidAndNameInfo.kp_eproc.e_ppid : nil
+        let procName = String(cString: &pidAndNameInfo.kp_proc.p_comm.0)
+        let pathPointer = UnsafeMutablePointer<UInt8>.allocate(capacity: Int(MAXPATHLEN))
+        _ = proc_pidpath(pid, pathPointer, UInt32(MAXPATHLEN))
+        let path = String(cString: pathPointer)
+        var secCode: Unmanaged<SecCode>!
+        let flags: SecCSFlags = [.considerExpiration, .enforceRevocationChecks]
+        SecCodeCreateWithPID(pid, SecCSFlags(), &secCode)
+        let valid = SecCodeCheckValidity(secCode.takeRetainedValue(), flags, nil) == errSecSuccess
+        return SigningRequestProvenance.Process(pid: pid, processName: procName, appName: appName(for: pid), iconURL: iconURL(for: pid), path: path, validSignature: valid, parentPID: ppid)
+    }
+
+    func iconURL(for pid: Int32) -> URL? {
+        do {
+            if let app = NSRunningApplication(processIdentifier: pid), let icon = app.icon?.tiffRepresentation {
+                let temporaryURL = URL(fileURLWithPath: (NSTemporaryDirectory() as NSString).appendingPathComponent("\(UUID().uuidString).png"))
+                let bitmap = NSBitmapImageRep(data: icon)
+                try bitmap?.representation(using: .png, properties: [:])?.write(to: temporaryURL)
+                return temporaryURL
+            }
+        } catch {
+        }
+        return nil
+    }
+
+    func appName(for pid: Int32) -> String? {
+        NSRunningApplication(processIdentifier: pid)?.localizedName
+    }
+
+}
--- a/Sources/SecretAgentKit/SigningWitness.swift
+++ b/Sources/SecretAgentKit/SigningWitness.swift
@@ -0,0 +1,9 @@
+import Foundation
+import SecretKit
+
+public protocol SigningWitness {
+
+    func speakNowOrForeverHoldYourPeace(forAccessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance) throws
+    func witness(accessTo secret: AnySecret, from store: AnySecretStore, by provenance: SigningRequestProvenance, requiredAuthentication: Bool) throws
+
+}
--- a/Sources/SecretAgentKit/SocketController.swift
+++ b/Sources/SecretAgentKit/SocketController.swift
@@ -0,0 +1,67 @@
+import Foundation
+import OSLog
+
+public class SocketController {
+
+    private var fileHandle: FileHandle?
+    private var port: SocketPort?
+    public var handler: ((FileHandleReader, FileHandleWriter) -> Void)?
+
+    public init(path: String) {
+        Logger().debug("Socket controller setting up at \(path)")
+        if let _ = try? FileManager.default.removeItem(atPath: path) {
+            Logger().debug("Socket controller removed existing socket")
+        }
+        let exists = FileManager.default.fileExists(atPath: path)
+        assert(!exists)
+        Logger().debug("Socket controller path is clear")
+        port = socketPort(at: path)
+        configureSocket(at: path)
+        Logger().debug("Socket listening at \(path)")
+    }
+
+    func configureSocket(at path: String) {
+        guard let port = port else { return }
+        fileHandle = FileHandle(fileDescriptor: port.socket, closeOnDealloc: true)
+        NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionAccept(notification:)), name: .NSFileHandleConnectionAccepted, object: nil)
+        NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionDataAvailable(notification:)), name: .NSFileHandleDataAvailable, object: nil)
+        fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
+    }
+
+    func socketPort(at path: String) -> SocketPort {
+        var addr = sockaddr_un()
+        addr.sun_family = sa_family_t(AF_UNIX)
+
+        var len: Int = 0
+        withUnsafeMutablePointer(to: &addr.sun_path.0) { pointer in
+            path.withCString { cstring in
+                len = strlen(cstring)
+                strncpy(pointer, cstring, len)
+            }
+        }
+        addr.sun_len = UInt8(len+2)
+
+        var data: Data!
+        withUnsafePointer(to: &addr) { pointer in
+            data = Data(bytes: pointer, count: MemoryLayout<sockaddr_un>.size)
+        }
+
+        return SocketPort(protocolFamily: AF_UNIX, socketType: SOCK_STREAM, protocol: 0, address: data)!
+    }
+
+    @objc func handleConnectionAccept(notification: Notification) {
+        Logger().debug("Socket controller accepted connection")
+        guard let new = notification.userInfo?[NSFileHandleNotificationFileHandleItem] as? FileHandle else { return }
+        handler?(new, new)
+        new.waitForDataInBackgroundAndNotify()
+        fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
+    }
+
+    @objc func handleConnectionDataAvailable(notification: Notification) {
+        Logger().debug("Socket controller has new data available")
+        guard let new = notification.object as? FileHandle else { return }
+        Logger().debug("Socket controller received new file handle")
+        handler?(new, new)
+    }
+
+}