feat: add key_id signature cache (NR-356780) (#1004)

Author: gsanchezgavier

Cargo.lock

@@ -206,6 +206,27 @@ Distributed under the following license(s):
 * Apache-2.0
 
 
+## asn1-rs https://crates.io/crates/asn1-rs
+
+Distributed under the following license(s):
+* MIT
+* Apache-2.0
+
+
+## asn1-rs-derive https://crates.io/crates/asn1-rs-derive
+
+Distributed under the following license(s):
+* MIT
+* Apache-2.0
+
+
+## asn1-rs-impl https://crates.io/crates/asn1-rs-impl
+
+Distributed under the following license(s):
+* MIT
+* Apache-2.0
+
+
 ## async-broadcast https://crates.io/crates/async-broadcast
 
 Distributed under the following license(s):
@@ -605,6 +626,19 @@ Distributed under the following license(s):
 * Apache-2.0
 
 
+## data-encoding https://crates.io/crates/data-encoding
+
+Distributed under the following license(s):
+* MIT
+
+
+## der-parser https://crates.io/crates/der-parser
+
+Distributed under the following license(s):
+* MIT
+* Apache-2.0
+
+
 ## deranged https://crates.io/crates/deranged
 
 Distributed under the following license(s):
@@ -1441,6 +1475,13 @@ Distributed under the following license(s):
 * MIT
 
 
+## oid-registry https://crates.io/crates/oid-registry
+
+Distributed under the following license(s):
+* MIT
+* Apache-2.0
+
+
 ## once_cell https://crates.io/crates/once_cell
 
 Distributed under the following license(s):
@@ -1765,6 +1806,13 @@ Distributed under the following license(s):
 * Apache-2.0
 
 
+## rusticata-macros https://crates.io/crates/rusticata-macros
+
+Distributed under the following license(s):
+* MIT
+* Apache-2.0
+
+
 ## rustix https://crates.io/crates/rustix
 
 Distributed under the following license(s):
@@ -2590,6 +2638,13 @@ Distributed under the following license(s):
 * Unicode-3.0
 
 
+## x509-parser https://crates.io/crates/x509-parser
+
+Distributed under the following license(s):
+* MIT
+* Apache-2.0
+
+
 ## yaml-rust2 https://crates.io/crates/yaml-rust2
 
 Distributed under the following license(s):

THIRD_PARTY_NOTICES.md

@@ -64,6 +64,8 @@ rustls = { version = "0.23.18", features = ["ring"] }
 rustls-pemfile = { version = "2.1.3" }
 rustls-native-certs = "0.8.1"
 webpki = { version = "0.22.4", features = ["alloc"] }
+x509-parser = "0.16.0"
+ring = "0.17.8"
 
 [dev-dependencies]
 assert_cmd = { workspace = true }
@@ -89,7 +91,7 @@ httpmock = { version = "0.8.0-alpha.1", features = ["proxy"] }
 serial_test = "3.1.1"
 futures = "0.3.30"
 rcgen = { version = "0.13.2", features = ["crypto"] }
-ring = "0.17.8"
+
 
 [build-dependencies]
 glob = "0.3.1"

agent-control/Cargo.toml

@@ -3,7 +3,7 @@ use crate::event::{AgentControlEvent, SubAgentEvent};
 use std::sync::Arc;
 use tokio::sync::mpsc::UnboundedReceiver;
 use tokio::sync::RwLock;
-use tracing::debug;
+use tracing::{debug, trace};
 
 pub(super) async fn on_agent_control_event_update_status(
     mut agent_control_event_consumer: UnboundedReceiver<AgentControlEvent>,
@@ -50,7 +50,7 @@ async fn update_agent_control_status(
             unreachable!("AgentControlStopped is controlled outside");
         }
         AgentControlEvent::OpAMPConnected => {
-            debug!("opamp server is reachable");
+            trace!("opamp server is reachable");
             status.opamp.reachable();
         }
         AgentControlEvent::OpAMPConnectFailed(error_code, error_message) => {

agent-control/src/agent_control/http_server/status_updater.rs

@@ -275,6 +275,10 @@ impl SignatureData {
     pub fn signature_algorithm(&self) -> &SignatureAlgorithm {
         (&self.signing_algorithm).into()
     }
+
+    pub fn key_id(&self) -> &str {
+        &self.key_id
+    }
 }
 
 /// CRC32 checksum of the config data. Currently this field is ignored since the current implementation of RemoteConfig

agent-control/src/opamp/remote_config/signature.rs

@@ -1,3 +1,5 @@
+mod certificate;
 mod certificate_fetcher;
 mod certificate_store;
 pub mod validator;
+pub use certificate::public_key_fingerprint;

agent-control/src/opamp/remote_config/validators/signature.rs

@@ -0,0 +1,108 @@
+use ring::digest;
+use std::fmt::Write;
+use thiserror::Error;
+use webpki::EndEntityCert;
+use x509_parser::prelude::{FromDer, X509Certificate};
+
+#[derive(Error, Debug)]
+pub enum CertificateError {
+    #[error("parsing certificate from bytes: `{0}`")]
+    ParseCertificate(String),
+    #[error("verifying signature: `{0}`")]
+    VerifySignature(String),
+}
+#[derive(Debug, Clone)]
+pub struct Certificate {
+    cert_der: Vec<u8>,
+    // sha256 digest of the public key
+    public_key_id: String,
+}
+
+impl Certificate {
+    pub fn try_new(cert_der: Vec<u8>) -> Result<Self, CertificateError> {
+        let _ = EndEntityCert::try_from(cert_der.as_slice())
+            .map_err(|e| CertificateError::ParseCertificate(e.to_string()))?;
+
+        let (_, cer) = X509Certificate::from_der(&cert_der)
+            .map_err(|e| CertificateError::ParseCertificate(e.to_string()))?;
+
+        Ok(Self {
+            public_key_id: public_key_fingerprint(cer.public_key().raw),
+            cert_der,
+        })
+    }
+    pub fn public_key_id(&self) -> &str {
+        &self.public_key_id
+    }
+    pub fn verify_signature(
+        &self,
+        algorithm: &webpki::SignatureAlgorithm,
+        msg: &[u8],
+        signature: &[u8],
+    ) -> Result<(), CertificateError> {
+        let certificate = EndEntityCert::try_from(self.cert_der.as_slice())
+            .map_err(|e| CertificateError::VerifySignature(e.to_string()))?;
+
+        certificate
+            .verify_signature(algorithm, msg, signature)
+            .map_err(|e| CertificateError::VerifySignature(e.to_string()))
+    }
+}
+
+pub fn public_key_fingerprint(public_key: &[u8]) -> String {
+    let key_id_bytes = digest::digest(&digest::SHA256, public_key);
+
+    // encode the digest as hex string
+    key_id_bytes
+        .as_ref()
+        .iter()
+        .fold(String::new(), |mut output, b| {
+            let _ = write!(output, "{b:02x}");
+            output
+        })
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::io::Cursor;
+
+    #[test]
+    fn test_certificate_key_id() {
+        let mut cursor = Cursor::new(CERT_PEM.as_bytes());
+        let cert = rustls_pemfile::certs(cursor.get_mut())
+            .next()
+            .unwrap()
+            .unwrap();
+
+        let key_id = Certificate::try_new(cert.as_ref().to_vec())
+            .unwrap()
+            .public_key_id()
+            .to_string();
+
+        assert_eq!(key_id, CERT_PUBLIC_KEY_ID);
+    }
+
+    const CERT_PUBLIC_KEY_ID: &str =
+        "3c333a786b8f1e93f3a099a09cf591c5faac126ea48699e9e290e72b0b6bf06c";
+    const CERT_PEM: &str = r#"-----BEGIN CERTIFICATE-----
+MIIDLzCCAhegAwIBAgIUc5RF25ZGKeFSMlB8EK0EuDxZUFgwDQYJKoZIhvcNAQEL
+BQAwHjELMAkGA1UEBhMCRkkxDzANBgNVBAMMBmNhbmFtZTAeFw0yNTAxMjAwNzU2
+NTBaFw0yNjAxMjAwNzU2NTBaMCAxCzAJBgNVBAYTAkZJMREwDwYDVQQDDAh0ZXN0
+bmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6pXsPX+0HpRdp+
+xD88Ut/SL26kmYSCaY9U1nCo45bARlTlhW62Bf5WMETJhGGi/Kq93MjPMkmNFNF/
+2qQx+XpxmKQR+B/iQzrg9bD1evRQPQvnSFBHKMh8cbqVpsLq/p6ee2iMoDpQ8C8p
+Y1WjmGhcpp7EpDLUwx2x8NOu+uZp7NjT2rFBni7KMcWKJXEYh59EHkL/J/DeTUtQ
+0Jxrq6k2hbEBOxRzO3XdwZ3w+LlurankJBOBljLpXn7Du9iA/0BicWczBhwJqv3T
+96gyxoClmyGpXRiaiHyP+6t7/xfNfwJ6AEuifyVIUnxEyP+lgx6stWnV2j58a4kT
+asRIASECAwEAAaNjMGEwHwYDVR0jBBgwFoAUwg0OUU2UnO8UnMGFAjUdIl2S5Jow
+CQYDVR0TBAIwADAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFLoNRu6n
+UepmUndgCwPr7tHQ84N0MA0GCSqGSIb3DQEBCwUAA4IBAQB4yKCYrdbz4FGxfA4K
+GbgXe0ylio1OCA/4Db3Xo/UYJwKG+sG5YWKJiOTqJqdOPSczZE8ROA9BNLKpfUXj
+hIffqUXca298j+8Ag+gFE5oOnUF1RUwE+xLWj94Fby4yFeadPcn1E7amSGoK1kE2
+ksQmmplpaVP9lOKnk6pX9NbMsAW2IeuDROuCYyTE9XOUxzdNnQp2Uk7rnxbGHHIl
+ag5JWpNv/SRwijhGyVKiLFINYILDaNZc56RxxNWgfKj8mTiRvFV5OiM0MrIjBCUu
+O0jhqIc+AEbSGU0jdfFxs4f9fJklHDphUxqE1MSvqzOMaFNrt/8jEupa2ujLCVId
+XeFA
+-----END CERTIFICATE-----"#;
+}