Cleaning up a bit

SecretAgentKit/Agent.swift

@@ -0,0 +1,165 @@
+import Foundation
+import CryptoKit
+import OSLog
+import SecretKit
+import SecretAgentKit
+import AppKit
+
+public class Agent {
+
+    fileprivate let storeList: SecretStoreList
+    fileprivate let witness: SigningWitness?
+    fileprivate let writer = OpenSSHKeyWriter()
+    fileprivate let requestTracer = SigningRequestTracer()
+
+    public init(storeList: SecretStoreList, witness: SigningWitness? = nil) {
+        os_log(.debug, "Agent is running")
+        self.storeList = storeList
+        self.witness = witness
+    }
+    
+}
+
+extension Agent {
+
+    public func handle(fileHandle: FileHandle) {
+        os_log(.debug, "Agent handling new data")
+        let data = fileHandle.availableData
+        guard !data.isEmpty else { return }
+        let requestTypeInt = data[4]
+        guard let requestType = SSHAgent.RequestType(rawValue: requestTypeInt) else { return }
+        os_log(.debug, "Agent handling request of type %@", requestType.debugDescription)
+        let subData = Data(data[5...])
+        handle(requestType: requestType, data: subData, fileHandle: fileHandle)
+    }
+
+    func handle(requestType: SSHAgent.RequestType, data: Data, fileHandle: FileHandle) {
+        var response = Data()
+        do {
+            switch requestType {
+            case .requestIdentities:
+                response.append(SSHAgent.ResponseType.agentIdentitiesAnswer.data)
+                response.append(try identities())
+                os_log(.debug, "Agent returned %@", SSHAgent.ResponseType.agentIdentitiesAnswer.debugDescription)
+            case .signRequest:
+                response.append(SSHAgent.ResponseType.agentSignResponse.data)
+                response.append(try sign(data: data, from: fileHandle.fileDescriptor))
+                os_log(.debug, "Agent returned %@", SSHAgent.ResponseType.agentSignResponse.debugDescription)
+            }
+        } catch {
+            response.removeAll()
+            response.append(SSHAgent.ResponseType.agentFailure.data)
+            os_log(.debug, "Agent returned %@", SSHAgent.ResponseType.agentFailure.debugDescription)
+        }
+        let full = OpenSSHKeyWriter().lengthAndData(of: response)
+        fileHandle.write(full)
+    }
+
+}
+
+extension Agent {
+
+    func identities() throws -> Data {
+        // TODO: RESTORE ONCE XCODE 11.4 IS GM
+        let secrets = storeList.stores.flatMap { $0.secrets }
+//        let secrets = storeList.stores.flatMap(\.secrets)
+        var count = UInt32(secrets.count).bigEndian
+        let countData = Data(bytes: &count, count: UInt32.bitWidth/8)
+        var keyData = Data()
+        let writer = OpenSSHKeyWriter()
+        for secret in secrets {
+            let keyBlob = writer.data(secret: secret)
+            keyData.append(writer.lengthAndData(of: keyBlob))
+            let curveData = writer.curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!
+            keyData.append(writer.lengthAndData(of: curveData))
+        }
+        os_log(.debug, "Agent enumerated %@ identities", secrets.count as NSNumber)
+        return countData + keyData
+    }
+
+    func sign(data: Data, from pid: Int32) throws -> Data {
+        let reader = OpenSSHReader(data: data)
+        let hash = try reader.readNextChunk()
+        guard let (store, secret) = secret(matching: hash) else {
+            os_log(.debug, "Agent did not have a key matching %@", hash as NSData)
+            throw AgentError.noMatchingKey
+        }
+
+        let provenance = requestTracer.provenance(from: pid)
+        if let witness = witness {
+            try witness.witness(accessTo: secret, by: provenance)
+        }
+
+        let dataToSign = try reader.readNextChunk()
+        let derSignature = try store.sign(data: dataToSign, with: secret)
+
+        let curveData = writer.curveType(for: secret.algorithm, length: secret.keySize).data(using: .utf8)!
+
+        // Convert from DER formatted rep to raw (r||s)
+
+        let rawRepresentation: Data
+        switch (secret.algorithm, secret.keySize) {
+        case (.ellipticCurve, 256):
+            rawRepresentation = try CryptoKit.P256.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
+        case (.ellipticCurve, 384):
+            rawRepresentation = try CryptoKit.P384.Signing.ECDSASignature(derRepresentation: derSignature).rawRepresentation
+        default:
+            fatalError()
+        }
+
+
+        let rawLength = rawRepresentation.count/2
+        let r = rawRepresentation[0..<rawLength]
+        let s = rawRepresentation[rawLength...]
+
+        var signatureChunk = Data()
+        signatureChunk.append(writer.lengthAndData(of: r))
+        signatureChunk.append(writer.lengthAndData(of: s))
+
+        var signedData = Data()
+        var sub = Data()
+        sub.append(writer.lengthAndData(of: curveData))
+        sub.append(writer.lengthAndData(of: signatureChunk))
+        signedData.append(writer.lengthAndData(of: sub))
+
+        os_log(.debug, "Agent signed request")
+
+        return signedData
+    }
+
+}
+
+extension Agent {
+
+    func secret(matching hash: Data) -> (AnySecretStore, AnySecret)? {
+        storeList.stores.compactMap { store -> (AnySecretStore, AnySecret)? in
+            let allMatching = store.secrets.filter { secret in
+                hash == writer.data(secret: secret)
+            }
+            if let matching = allMatching.first {
+                return (store, matching)
+            }
+            return nil
+        }.first
+    }
+
+}
+
+
+extension Agent {
+
+    enum AgentError: Error {
+        case unhandledType
+        case noMatchingKey
+    }
+
+}
+
+extension SSHAgent.ResponseType {
+
+    var data: Data {
+        var raw = self.rawValue
+        return  Data(bytes: &raw, count: UInt8.bitWidth/8)
+    }
+
+}

SecretAgentKit/SigningRequestProvenance.swift

@@ -0,0 +1,39 @@
+import Foundation
+import AppKit
+
+public struct SigningRequestProvenance {
+
+    public var chain: [Process]
+    public init(root: Process) {
+        self.chain = [root]
+    }
+
+}
+
+extension SigningRequestProvenance {
+
+    public var origin: Process {
+        chain.last!
+    }
+
+}
+
+extension SigningRequestProvenance {
+
+    public struct Process {
+
+        public let pid: Int32
+        public let name: String
+        public let path: String
+        let parentPID: Int32?
+
+        init(pid: Int32, name: String, path: String, parentPID: Int32?) {
+            self.pid = pid
+            self.name = name
+            self.path = path
+            self.parentPID = parentPID
+        }
+
+    }
+
+}

SecretAgentKit/SigningRequestTracer.swift

@@ -0,0 +1,35 @@
+import Foundation
+import AppKit
+
+struct SigningRequestTracer {
+
+    func provenance(from pid: Int32) -> SigningRequestProvenance {
+        let pidPointer = UnsafeMutableRawPointer.allocate(byteCount: 4, alignment: 1)
+        var len = socklen_t(MemoryLayout<Int32>.size)
+        getsockopt(pid, SOCK_STREAM, LOCAL_PEERPID, pidPointer, &len)
+        let pid = pidPointer.load(as: Int32.self)
+        let firstInfo = process(from: pid)
+
+        var provenance = SigningRequestProvenance(root: firstInfo)
+        while NSRunningApplication(processIdentifier: provenance.origin.pid) == nil && provenance.origin.parentPID != nil {
+            provenance.chain.append(process(from: provenance.origin.parentPID!))
+        }
+        return provenance
+    }
+
+    func pidAndNameInfo(from pid: Int32) -> kinfo_proc {
+        var len = MemoryLayout<kinfo_proc>.size
+        let infoPointer = UnsafeMutableRawPointer.allocate(byteCount: len, alignment: 1)
+        var name: [Int32] = [CTL_KERN, KERN_PROC, KERN_PROC_PID, pid]
+        sysctl(&name, UInt32(name.count), infoPointer, &len, nil, 0)
+        return infoPointer.load(as: kinfo_proc.self)
+    }
+
+    func process(from pid: Int32) -> SigningRequestProvenance.Process {
+        var pidAndNameInfo = self.pidAndNameInfo(from: pid)
+        let ppid = pidAndNameInfo.kp_eproc.e_ppid != 0 ? pidAndNameInfo.kp_eproc.e_ppid : nil
+        let procName = String(cString: &pidAndNameInfo.kp_proc.p_comm.0)
+        return SigningRequestProvenance.Process(pid: pid, name: procName, path: "", parentPID: ppid)
+    }
+
+}

SecretAgentKit/SigningWitness.swift

@@ -0,0 +1,8 @@
+import Foundation
+import SecretKit
+
+public protocol SigningWitness {
+
+    func witness(accessTo secret: AnySecret, by provenance: SigningRequestProvenance) throws
+
+}

SecretAgentKit/SocketController.swift

@@ -0,0 +1,67 @@
+import Foundation
+import OSLog
+
+public class SocketController {
+
+    fileprivate var fileHandle: FileHandle?
+    fileprivate var port: SocketPort?
+    public var handler: ((FileHandle) -> Void)?
+
+    public init(path: String) {
+        os_log(.debug, "Socket controller setting up at %@", path)
+        if let _ = try? FileManager.default.removeItem(atPath: path) {
+            os_log(.debug, "Socket controller removed existing socket")
+        }
+        let exists = FileManager.default.fileExists(atPath: path)
+        assert(!exists)
+        os_log(.debug, "Socket controller path is clear")
+        port = socketPort(at: path)
+        configureSocket(at: path)
+        os_log(.debug, "Socket listening at %@", path)
+    }
+
+    func configureSocket(at path: String) {
+        guard let port = port else { return }
+        fileHandle = FileHandle(fileDescriptor: port.socket, closeOnDealloc: true)
+        NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionAccept(notification:)), name: .NSFileHandleConnectionAccepted, object: nil)
+        NotificationCenter.default.addObserver(self, selector: #selector(handleConnectionDataAvailable(notification:)), name: .NSFileHandleDataAvailable, object: nil)
+        fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
+    }
+
+    func socketPort(at path: String) -> SocketPort {
+        var addr = sockaddr_un()
+        addr.sun_family = sa_family_t(AF_UNIX)
+
+        var len: Int = 0
+        _ = withUnsafeMutablePointer(to: &addr.sun_path.0) { pointer in
+            path.withCString { cstring in
+                len = strlen(cstring)
+                strncpy(pointer, cstring, len)
+            }
+        }
+        addr.sun_len = UInt8(len+2)
+
+        var data: Data!
+        _ = withUnsafePointer(to: &addr) { pointer in
+            data = Data(bytes: pointer, count: MemoryLayout<sockaddr_un>.size)
+        }
+
+        return SocketPort(protocolFamily: AF_UNIX, socketType: SOCK_STREAM, protocol: 0, address: data)!
+    }
+
+    @objc func handleConnectionAccept(notification: Notification) {
+        os_log(.debug, "Socket controller accepted connection")
+        guard let new = notification.userInfo?[NSFileHandleNotificationFileHandleItem] as? FileHandle else { return }
+        handler?(new)
+        new.waitForDataInBackgroundAndNotify()
+        fileHandle?.acceptConnectionInBackgroundAndNotify(forModes: [RunLoop.current.currentMode!])
+    }
+
+    @objc func handleConnectionDataAvailable(notification: Notification) {
+        os_log(.debug, "Socket controller has new data available")
+        guard let new = notification.object as? FileHandle else { return }
+        os_log(.debug, "Socket controller received new file handle")
+        handler?(new)
+    }
+
+}