james/dt4a auth (#2149)

Author: James-Pickett

ee/localserver/certs.go

@@ -1,6 +1,13 @@
 package localserver
 
+import (
+	"crypto/ecdsa"
+	"encoding/json"
+	"fmt"
+)
+
 // These are the hardcoded certificates
+
 const (
 	k2EccServerCert = `-----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmAO4tYINU14/i0LvONs1IXVwaFnF
@@ -16,4 +23,146 @@ GINysvEwYrNoGjASt+nqzlFesagt+2A/4W7JR16nE91mbCHn+HV6x+H8gw==
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwowFsPUaOC61LAfDz1hLnsuSDfEx
 SC4TSfHtbHHv3lx2/Bfu+H0szXYZ75GF/qZ5edobq3UkABN6OaFnnJId3w==
 -----END PUBLIC KEY-----`
+
+	dt4aCertsJWK = `
+{
+    "LJDJWSE7WZEVTIWYZXFEGO4UWU": {
+        "crv": "P-256",
+        "kid": "LJDJWSE7WZEVTIWYZXFEGO4UWU",
+        "kty": "EC",
+        "x": "RqXvX6ByCw5XzYtqvt_xMSJwBaA9aoPH-Mc3yQ2HGhE",
+        "y": "RGellUkwDt2v0HUdCqKs8WLBa4bWQ4ZaKPfAesGdjoA"
+    },
+    "O7OHTURDFFHHNNV6NIKCPCZG3U": {
+        "crv": "P-256",
+        "kid": "O7OHTURDFFHHNNV6NIKCPCZG3U",
+        "kty": "EC",
+        "x": "e4MUHZOCk7Jas0wKLZZj0BTUnfzqilXV7EykZelq8kw",
+        "y": "Pep2Saf8RTYH0KaIH4Kh3AcdsgATh8pr2jUBviULwWo"
+    },
+    "EQFDLBCEORHJRLZMSUAKAUWEIQ": {
+        "crv": "P-256",
+        "kid": "EQFDLBCEORHJRLZMSUAKAUWEIQ",
+        "kty": "EC",
+        "x": "J3XQzYvsix7WQV1g-N7IgFA_J-Fja2_R7QcqMr1WU3g",
+        "y": "b9YrgvnWeJxjZ5HX2ERau5PcJDKDnrSDcyLJpuNiuMc"
+    },
+    "PCA7GIDALBFYZCWK4MS3G4IXEU": {
+        "crv": "P-256",
+        "kid": "PCA7GIDALBFYZCWK4MS3G4IXEU",
+        "kty": "EC",
+        "x": "HMLGLwgkb9NY_x3br_nIhQxkj-XzUcEue6NsPWyAe0g",
+        "y": "Agd56jMwBjKEHSmXDlII5fSrYGJcEZQXj_W8xhcp5Bg"
+    },
+    "XTZV3GJH5NDA3GN5TYYHQS2LY4": {
+        "crv": "P-256",
+        "kid": "XTZV3GJH5NDA3GN5TYYHQS2LY4",
+        "kty": "EC",
+        "x": "fJoVe2dIOdHfbqUF_e0Jx1DdWwx1qawdN7KV_gS1lgc",
+        "y": "VSrX5h6qrHm0KhfJeX_sR73AsSGDuYMq6wd36eK9zr0"
+    },
+    "SZ5KQFFBRBAJ7BWXMQK6SNT7VY": {
+        "crv": "P-256",
+        "kid": "SZ5KQFFBRBAJ7BWXMQK6SNT7VY",
+        "kty": "EC",
+        "x": "yh2yfAiySH1by8-Zys0fDoxWxLvKzsBidjVv7H-JOQs",
+        "y": "yvwU9oucAqdbR-Cnu6AM3Wo8eH1rA14qs9GKZGrcBDM"
+    },
+    "CGCIR2MFPJG53ANG3UZQHOARUE": {
+        "crv": "P-256",
+        "kid": "CGCIR2MFPJG53ANG3UZQHOARUE",
+        "kty": "EC",
+        "x": "kqCHC5TWP0AfB-Is4YqkuG01yHXr90MRIHsWl5cA1bo",
+        "y": "O7Dr6cV5c48f3s-7b7nC9emlhrpZaQKGbW0p_fgO12o"
+    },
+    "EVNNXZX7ARDXTHVDPIIH7UBLIM": {
+        "crv": "P-256",
+        "kid": "EVNNXZX7ARDXTHVDPIIH7UBLIM",
+        "kty": "EC",
+        "x": "UYlZvyQwqDdth2C0EdgB7aQz7oXxfft2GwxfsNoeq1Q",
+        "y": "9HRC4q-57_VjEl-BxLj8xCdSq8-GRCq9APc9b48RiEg"
+    },
+    "UQB2V5K4SVHKXJYDK52ESEOITU": {
+        "crv": "P-256",
+        "kid": "UQB2V5K4SVHKXJYDK52ESEOITU",
+        "kty": "EC",
+        "x": "iGmuezNq8h1xFrctHA4IZ8w4uNs8FnEGM2H58-u9rLg",
+        "y": "fdnegLFLCEEFLxlQIirUnLLBC3W3hiWdSdcoyfezWmc"
+    },
+    "CDTTGMTBNZDKNLJJRVGZG5EJWI": {
+        "crv": "P-256",
+        "kid": "CDTTGMTBNZDKNLJJRVGZG5EJWI",
+        "kty": "EC",
+        "x": "dpfhbnwobCJ1mn67aa-MtpK_HWGgACP2QIRi5sIQHLw",
+        "y": "AI6PPzaV80SlaT2YJpO0jR-s_p6V4l3mE21_HmN8btU"
+    },
+    "QKTPGJABLNC67JF7LNBYA67H6U": {
+        "crv": "P-256",
+        "kid": "QKTPGJABLNC67JF7LNBYA67H6U",
+        "kty": "EC",
+        "x": "K_iuK_QTiyUGKnNwQawfNNZaK2r_74LPJ-Dh8E3q2Eg",
+        "y": "cQtwUMjR1v6yCUkuJUQ8giG8i0094EjBgI4ZvBSlu7I"
+    },
+    "EIXVCJMWU5EOHO7KFZRTXJFDPM": {
+        "crv": "P-256",
+        "kid": "EIXVCJMWU5EOHO7KFZRTXJFDPM",
+        "kty": "EC",
+        "x": "m41RPfNro2eTO4QvrlcS4YvFGyfSipKYSWvxFCJmd9s",
+        "y": "-LcFdVaFWLKpQwxIJtg_Wbt96nSW6UflcHFccukyfYY"
+    },
+    "4XAYQZYLERCODIA466B6N5CVTU": {
+        "crv": "P-256",
+        "kid": "4XAYQZYLERCODIA466B6N5CVTU",
+        "kty": "EC",
+        "x": "ToQ1gpeYXel8NOj_nPaxoQWnTWPYFdSLFu9WyRPSeCI",
+        "y": "6I1ce5IWh-sShpy6zWuEPe1xfxXfZKGPKLkjmgFlF8g"
+    },
+    "QZ4LYXGF2FBPVPOUXOB6JRG7FU": {
+        "crv": "P-256",
+        "kid": "QZ4LYXGF2FBPVPOUXOB6JRG7FU",
+        "kty": "EC",
+        "x": "3UcmjOw5gySrmdRhPi79uPrBc4wMK82lk_2ZjHhd8AM",
+        "y": "9KyEHTauwzUZMhO9bbfdLXgBurzik_U6hOAvAdEmMOY"
+    },
+    "XEEA7W43BVHCNG3GXWOKXOCQUI": {
+        "crv": "P-256",
+        "kid": "XEEA7W43BVHCNG3GXWOKXOCQUI",
+        "kty": "EC",
+        "x": "9NunJuqdPEvmXid4XykAvMT7oVD2VoJAesvt-OGyVqI",
+        "y": "c3A92ku97Gs_BU0ADNl0lGJ-h0TFvShYZgNQMMBf0T0"
+    },
+    "PUIDTW7VXFHN5CV6DBY4KVTIFE": {
+        "crv": "P-256",
+        "kid": "PUIDTW7VXFHN5CV6DBY4KVTIFE",
+        "kty": "EC",
+        "x": "8Y6AMk7wwVZfzqqGbFIdRWKQVm9mvjX1M-4lp7LBBGw",
+        "y": "uYFFX6PSycR-7EHSy1LXllg44tWZ5iFGfHJplIWcmYQ"
+    }
+}`
 )
+
+func dt4aKeys() (map[string]*ecdsa.PublicKey, error) {
+	dt4aKeyMap := make(map[string]*ecdsa.PublicKey)
+
+	certMap := make(map[string]json.RawMessage)
+	if err := json.Unmarshal([]byte(dt4aCertsJWK), &certMap); err != nil {
+		return nil, err
+	}
+
+	for k, v := range certMap {
+
+		var j jwk
+		if err := json.Unmarshal(v, &j); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal JWK: %w", err)
+		}
+
+		pubKey, err := j.ecdsaPubKey()
+		if err != nil {
+			return nil, fmt.Errorf("failed to convert JWK to ECDSA public key: %w", err)
+		}
+
+		dt4aKeyMap[k] = pubKey
+	}
+
+	return dt4aKeyMap, nil
+}

ee/localserver/jwk_keys.go

@@ -0,0 +1,98 @@
+package localserver
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"math/big"
+	"strings"
+)
+
+// jwk is a JSON Web Key (JWK) structure for representing public keys,
+// this a partial implementation using the stdlib for only the bits we care about,
+// RFC https://datatracker.ietf.org/doc/html/rfc7517
+type jwk struct {
+	Curve string `json:"crv"`
+	X     string `json:"x"`
+	Y     string `json:"y"`
+	KeyID string `json:"kid"`
+}
+
+const (
+	curveP256 string = "P-256"
+	curveP384 string = "P-384"
+	curveP521 string = "P-521"
+)
+
+func parseEllipticCurve(str string) (elliptic.Curve, error) {
+	switch strings.ToUpper(str) {
+	case curveP256:
+		return elliptic.P256(), nil
+	case curveP384:
+		return elliptic.P384(), nil
+	case curveP521:
+		return elliptic.P521(), nil
+	default:
+		return &elliptic.CurveParams{}, fmt.Errorf("unsupported curve: %s", str)
+	}
+}
+
+// ecdsaPubKey converts jwk in to ecdsa public key
+func (j *jwk) ecdsaPubKey() (*ecdsa.PublicKey, error) {
+	curve, err := parseEllipticCurve(j.Curve)
+	if err != nil {
+		return nil, err
+	}
+
+	// Decode the x and y coordinates using base64 URL decoding (unpadded).
+	xBytes, err := base64.RawURLEncoding.DecodeString(j.X)
+	if err != nil {
+		return nil, fmt.Errorf("error decoding x coordinate: %v", err)
+	}
+	yBytes, err := base64.RawURLEncoding.DecodeString(j.Y)
+	if err != nil {
+		return nil, fmt.Errorf("error decoding y coordinate: %v", err)
+	}
+
+	// Convert the bytes into big.Int values.
+	x := new(big.Int).SetBytes(xBytes)
+	y := new(big.Int).SetBytes(yBytes)
+
+	// Construct the ECDSA public key.
+	pubKey := &ecdsa.PublicKey{
+		Curve: curve,
+		X:     x,
+		Y:     y,
+	}
+
+	// this is a little weird, but it's the recommended way to validate a public key,
+	// under the hood it calls Curve.IsOnCurve(...), but if you call that directly
+	// you get deprecated warnings
+	if _, err := pubKey.ECDH(); err != nil {
+		return nil, fmt.Errorf("invalid public key: %w", err)
+	}
+
+	return pubKey, nil
+}
+
+// x25519PubKey converts jwk in to x25519 key (*[32]byte)
+func (j *jwk) x25519PubKey() (*[32]byte, error) {
+	// Decode the "x" coordinate using base64 URL decoding (unpadded).
+	xBytes, err := base64.RawURLEncoding.DecodeString(j.X)
+	if err != nil {
+		return nil, fmt.Errorf("error decoding x coordinate: %v", err)
+	}
+
+	// X25519 public keys should be 32 bytes.
+	if len(xBytes) != 32 {
+		return nil, errors.New("invalid x coordinate length for X25519, expected 32 bytes")
+	}
+
+	// Copy the bytes into a fixed size array.
+	var pubKey [32]byte
+	copy(pubKey[:], xBytes)
+
+	return &pubKey, nil
+}

ee/localserver/server.go

@@ -104,9 +104,23 @@ func New(ctx context.Context, k types.Knapsack, presenceDetector presenceDetecto
 	// /v0/cmd left for transition period
 	mux.Handle("/v1/cmd", ecKryptoMiddleware.Wrap(ls.munemoCheckHandler(ecAuthedMux)))
 
+	trustedDt4aKeys, err := dt4aKeys()
+	if err != nil {
+		return nil, fmt.Errorf("loading dt4a keys %w", err)
+	}
+
+	ztaAuthMiddleware := &ztaAuthMiddleware{
+		counterPartyKeys: trustedDt4aKeys,
+		slogger:          k.Slogger().With("component", "dt4a_auth_middleware"),
+	}
+
 	// In the future, we will want to make this authenticated; for now, it is not authenticated.
+	// TODO: make this authenticated or remove
 	mux.Handle("/zta", ls.requestZtaInfoHandler())
 
+	// mux.Handle("/zta", ztaAuthMiddleware.Wrap(ls.requestZtaInfoHandler()))
+	mux.Handle("/v3/dt4a", ztaAuthMiddleware.Wrap(ls.requestZtaInfoHandler()))
+
 	// uncomment to test without going through middleware
 	// for example:
 	// curl localhost:40978/query --data '{"query":"select * from kolide_launcher_info"}'

ee/localserver/zta.go

@@ -41,11 +41,6 @@ func (ls *localServer) requestZtaInfoHandlerFunc(w http.ResponseWriter, r *http.
 	r, span := traces.StartHttpRequestSpan(r, "path", r.URL.Path)
 	defer span.End()
 
-	if r.Method != http.MethodGet {
-		w.WriteHeader(http.StatusMethodNotAllowed)
-		return
-	}
-
 	// Validate origin. We expect to either have the origin set to an allowlisted value, or to be
 	// present but empty, or to be missing. We will not allow a request with a nonempty origin
 	// that is not in the allowlist.