feat: add signature verification with a submitted public key

Signed-off-by: Michele Meloni <[email protected]>

Author: mmeloni

README.md

@@ -336,6 +336,7 @@ Environment variables:
   IMMUCLIENT_PKEY=./tools/mtls/4_client/private/localhost.key.pem
   IMMUCLIENT_CERTIFICATE=./tools/mtls/4_client/certs/localhost.cert.pem
   IMMUCLIENT_CLIENTCAS=./tools/mtls/2_intermediate/certs/ca-chain.cert.pem
+  IMMUCLIENT_PUBLIC_KEY=
 
 IMPORTANT: All get and safeget functions return base64-encoded keys and values, while all set and safeset functions expect base64-encoded inputs.
 

cmd/immuadmin/command/login_test.go

@@ -19,6 +19,7 @@ package immuadmin
 import (
 	"bytes"
 	"context"
+	"github.com/stretchr/testify/require"
 	"io/ioutil"
 	"os"
 	"testing"

cmd/immuclient/audit/auditagent.go

@@ -171,14 +171,16 @@ func options() *client.Options {
 	prometheusPort := viper.GetString("prometheus-port")
 	prometheusHost := viper.GetString("prometheus-host")
 	logfilename := viper.GetString("logfile")
+	publicKey := viper.GetString("public-key")
 	options := client.DefaultOptions().
 		WithPort(port).
 		WithAddress(address).
 		WithTokenFileName(tokenFileName).
 		WithMTLs(mtls).WithPidPath(pidpath).
 		WithPrometheusPort(prometheusPort).
 		WithPrometheusHost(prometheusHost).
-		WithLogFileName(logfilename)
+		WithLogFileName(logfilename).
+		WithPublicKey(publicKey)
 	if mtls {
 		// todo https://golang.org/src/crypto/x509/root_linux.go
 		options.MTLsOptions = client.DefaultMTLsOptions().

cmd/immuclient/audit/auditor.go

@@ -18,8 +18,10 @@ package audit
 
 import (
 	"context"
+	"crypto/ecdsa"
 	"errors"
 	"fmt"
+	"github.com/codenotary/immudb/pkg/signer"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -101,13 +103,23 @@ func (cAgent *auditAgent) InitAgent() (AuditAgent, error) {
 			return nil, fmt.Errorf("Invalid login operation: %v", err)
 		}
 	}
+
+	var pk *ecdsa.PublicKey
+	if cliOpts.PublicKey != "" {
+		pk, err = signer.ParsePublicKeyFile(cliOpts.PublicKey)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	cAgent.ImmuAudit, err = auditor.DefaultAuditor(time.Duration(cAgent.cycleFrequency)*time.Second,
 		fmt.Sprintf("%s:%v", options().Address, options().Port),
 		cliOpts.DialOptions,
 		auditUsername,
 		auditPassword,
 		auditDatabases,
 		auditSignature,
+		pk,
 		auditor.AuditNotificationConfig{
 			URL:            auditNotificationURL,
 			Username:       auditNotificationUsername,

cmd/immuclient/command/init.go

@@ -53,6 +53,7 @@ func (cl *commandline) configureFlags(cmd *cobra.Command) error {
 	cmd.PersistentFlags().String("audit-notification-url", "", "If set, auditor will send a POST request at this URL with audit result details.")
 	cmd.PersistentFlags().String("audit-notification-username", "", "Username used to authenticate when publishing audit result to 'audit-notification-url'.")
 	cmd.PersistentFlags().String("audit-notification-password", "", "Password used to authenticate when publishing audit result to 'audit-notification-url'.")
+	cmd.PersistentFlags().String("public-key", "", "Path to the public key to verify signatures when presents")
 
 	viper.BindPFlag("immudb-port", cmd.PersistentFlags().Lookup("immudb-port"))
 	viper.BindPFlag("immudb-address", cmd.PersistentFlags().Lookup("immudb-address"))
@@ -75,6 +76,7 @@ func (cl *commandline) configureFlags(cmd *cobra.Command) error {
 	viper.BindPFlag("audit-notification-url", cmd.PersistentFlags().Lookup("audit-notification-url"))
 	viper.BindPFlag("audit-notification-username", cmd.PersistentFlags().Lookup("audit-notification-username"))
 	viper.BindPFlag("audit-notification-password", cmd.PersistentFlags().Lookup("audit-notification-password"))
+	viper.BindPFlag("public-key", cmd.PersistentFlags().Lookup("public-key"))
 
 	viper.SetDefault("immudb-port", client.DefaultOptions().Port)
 	viper.SetDefault("immudb-address", client.DefaultOptions().Address)
@@ -96,6 +98,7 @@ func (cl *commandline) configureFlags(cmd *cobra.Command) error {
 	viper.SetDefault("audit-notification-url", "")
 	viper.SetDefault("audit-notification-username", "")
 	viper.SetDefault("audit-notification-password", "")
+	viper.SetDefault("public-key", "")
 	viper.SetDefault("dir", os.TempDir())
 	return nil
 }

cmd/immuclient/command/root.go

@@ -37,6 +37,7 @@ Environment variables:
   IMMUCLIENT_PKEY=./tools/mtls/4_client/private/localhost.key.pem
   IMMUCLIENT_CERTIFICATE=./tools/mtls/4_client/certs/localhost.cert.pem
   IMMUCLIENT_CLIENTCAS=./tools/mtls/2_intermediate/certs/ca-chain.cert.pem
+  IMMUCLIENT_PUBLIC_KEY=
 
 IMPORTANT: All get and safeget functions return base64-encoded keys and values, while all set and safeset functions expect base64-encoded inputs.`,
 		DisableAutoGenTag: true,

cmd/immuclient/immuc/init.go

@@ -117,7 +117,8 @@ func Options() *client.Options {
 		WithAddress(viper.GetString("immudb-address")).
 		WithTokenFileName(viper.GetString("tokenfile")).
 		WithMTLs(viper.GetBool("mtls")).
-		WithTokenService(client.NewTokenService().WithTokenFileName(viper.GetString("tokenfile")).WithHds(client.NewHomedirService()))
+		WithTokenService(client.NewTokenService().WithTokenFileName(viper.GetString("tokenfile")).WithHds(client.NewHomedirService())).
+		WithPublicKey(viper.GetString("public-key"))
 
 	if viper.GetBool("mtls") {
 		// todo https://golang.org/src/crypto/x509/root_linux.go

configs/immuclient.toml

@@ -8,3 +8,4 @@ pkey = "./tools/mtls/4_client/private/localhost.key.pem"
 certificate = "./tools/mtls/4_client/certs/localhost.cert.pem"
 clientcas = "./tools/mtls/2_intermediate/certs/ca-chain.cert.pem"
 audit-signature = "ignore"
+public-key = "" #used to verify signatures

pkg/api/schema/state.go

@@ -16,6 +16,7 @@ limitations under the License.
 package schema
 
 import (
+	"crypto/ecdsa"
 	"crypto/sha256"
 	"encoding/binary"
 	"errors"
@@ -30,14 +31,10 @@ func (state *ImmutableState) ToBytes() []byte {
 	return b
 }
 
-//CheckSignature
-func (state *ImmutableState) CheckSignature() (ok bool, err error) {
+// CheckSignature
+func (state *ImmutableState) CheckSignature(key *ecdsa.PublicKey) (ok bool, err error) {
 	if state.Signature == nil {
 		return false, errors.New("no signature found")
 	}
-	if state.Signature.PublicKey == nil {
-		return false, errors.New("no public key found")
-	}
-
-	return signer.Verify(state.ToBytes(), state.Signature.Signature, state.Signature.PublicKey)
+	return signer.Verify(state.ToBytes(), state.Signature.Signature, key)
 }

pkg/client/auditor/auditor.go

@@ -19,6 +19,7 @@ package auditor
 import (
 	"bytes"
 	"context"
+	"crypto/ecdsa"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
@@ -72,6 +73,7 @@ type defaultAuditor struct {
 	password           []byte
 	auditDatabases     []string
 	auditSignature     string
+	publicKey          *ecdsa.PublicKey
 	notificationConfig AuditNotificationConfig
 	serviceClient      schema.ImmuServiceClient
 	uuidProvider       state.UUIDProvider
@@ -89,6 +91,7 @@ func DefaultAuditor(
 	passwordBase64 string,
 	auditDatabases []string,
 	auditSignature string,
+	publicKey *ecdsa.PublicKey,
 	notificationConfig AuditNotificationConfig,
 	serviceClient schema.ImmuServiceClient,
 	uuidProvider state.UUIDProvider,
@@ -129,6 +132,7 @@ func DefaultAuditor(
 		[]byte(password),
 		auditDatabases,
 		auditSignature,
+		publicKey,
 		notificationConfig,
 		serviceClient,
 		uuidProvider,
@@ -255,7 +259,7 @@ func (a *defaultAuditor) audit() error {
 	}
 
 	if a.auditSignature == "validate" {
-		if okSig, err := state.CheckSignature(); err != nil || !okSig {
+		if okSig, err := state.CheckSignature(a.publicKey); err != nil || !okSig {
 			a.logger.Errorf(
 				"audit #%d aborted: could not verify signature on server state at %s @ %s",
 				a.index, serverID, a.serverAddress)