1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
// Copyright 2022 Google LLC.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Signer.go is a net/rpc server that listens on stdin/stdout, exposing
// methods that perform device certificate signing for Mac OS using keychain utils.
// This server is intended to be launched as a subprocess by the signer client,
// and should not be launched manually as a stand-alone process.
package main
import (
"crypto"
"crypto/rsa"
"crypto/x509"
"encoding/gob"
"io"
"io/ioutil"
"log"
"net/rpc"
"os"
"signer/keychain"
"signer/util"
"time"
)
// If ECP Logging is enabled return true
// Otherwise return false
func enableECPLogging() bool {
if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" {
return true
}
log.SetOutput(ioutil.Discard)
return false
}
func init() {
gob.Register(crypto.SHA256)
gob.Register(crypto.SHA384)
gob.Register(crypto.SHA512)
gob.Register(&rsa.PSSOptions{})
}
// SignArgs contains arguments to a crypto Signer.Sign method.
type SignArgs struct {
Digest []byte // The content to sign.
Opts crypto.SignerOpts // Options for signing, such as Hash identifier.
}
// A EnterpriseCertSigner exports RPC methods for signing.
type EnterpriseCertSigner struct {
key *keychain.Key
}
// A Connection wraps a pair of unidirectional streams as an io.ReadWriteCloser.
type Connection struct {
io.ReadCloser
io.WriteCloser
}
// Close closes c's underlying ReadCloser and WriteCloser.
func (c *Connection) Close() error {
rerr := c.ReadCloser.Close()
werr := c.WriteCloser.Close()
if rerr != nil {
return rerr
}
return werr
}
// CertificateChain returns the credential as a raw X509 cert chain. This
// contains the public key.
func (k *EnterpriseCertSigner) CertificateChain(ignored struct{}, certificateChain *[][]byte) error {
*certificateChain = k.key.CertificateChain()
return nil
}
// Public returns the corresponding public key for this Key, in ASN.1 DER form.
func (k *EnterpriseCertSigner) Public(ignored struct{}, publicKey *[]byte) (err error) {
*publicKey, err = x509.MarshalPKIXPublicKey(k.key.Public())
return
}
// Sign signs a message digest.
func (k *EnterpriseCertSigner) Sign(args SignArgs, resp *[]byte) (err error) {
*resp, err = k.key.Sign(nil, args.Digest, args.Opts)
return
}
func main() {
enableECPLogging()
if len(os.Args) != 2 {
log.Fatalln("Signer is not meant to be invoked manually, exiting...")
}
configFilePath := os.Args[1]
config, err := util.LoadConfig(configFilePath)
enterpriseCertSigner := new(EnterpriseCertSigner)
enterpriseCertSigner.key, err = keychain.Cred(config.CertConfigs.MacOSKeychain.Issuer)
if err != nil {
log.Fatalf("Failed to initialize enterprise cert signer using keychain: %v", err)
}
if err := rpc.Register(enterpriseCertSigner); err != nil {
log.Fatalf("Failed to register enterprise cert signer with net/rpc: %v", err)
}
// If the parent process dies, we should exit.
// We can detect this by periodically checking if the PID of the parent
// process is 1 (https://stackoverflow.com/a/2035683).
go func() {
for {
if os.Getppid() == 1 {
log.Fatalln("Enterprise cert signer's parent process died, exiting...")
}
time.Sleep(time.Second)
}
}()
rpc.ServeConn(&Connection{os.Stdin, os.Stdout})
}
|
