fix: align remote config digest signature (#1704)

* fix(workaround)

* feat: encode msg into b64

* style: move digest generation to upper layers

* test: fix

* style: ignore ascii case

---------

Co-authored-by: David Sánchez <davidslt+git@pm.me>

Author: paologallinaharbur

agent-control/src/opamp/remote_config/validators/signature/public_key.rs

@@ -1,8 +1,7 @@
 use crate::opamp::remote_config::signature::SigningAlgorithm;
 use crate::opamp::remote_config::validators::signature::public_key_fetcher::KeyData;
 use crate::opamp::remote_config::validators::signature::verifier::Verifier;
-use base64::Engine;
-use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use base64::{Engine as _, engine::general_purpose::URL_SAFE_NO_PAD};
 use ring::signature::{ED25519, UnparsedPublicKey};
 use thiserror::Error;
 

agent-control/src/opamp/remote_config/validators/signature/public_key_fetcher.rs

@@ -131,7 +131,13 @@ pub mod tests {
             }
         }
         pub fn sign(&self, msg: &[u8]) -> String {
-            BASE64_STANDARD.encode(self.key_pair.sign(msg).as_ref())
+            // Actual implementation from FC side signs the Base64 representation of the SHA256 digest
+            // of the message (i.e. the remote configs). Hence, to verify the signature, we need to
+            // compute the SHA256 digest of the message, then Base64 encode it, and finally verify
+            // the signature against that.
+            let digest = ring::digest::digest(&ring::digest::SHA256, msg);
+            let msg = BASE64_STANDARD.encode(digest);
+            BASE64_STANDARD.encode(self.key_pair.sign(msg.as_bytes()).as_ref())
         }
     }
 

agent-control/src/opamp/remote_config/validators/signature/validator.rs

@@ -11,6 +11,8 @@ use crate::opamp::remote_config::validators::signature::public_key::PublicKey;
 use crate::opamp::remote_config::validators::signature::public_key_fetcher::PublicKeyFetcher;
 use crate::opamp::remote_config::validators::signature::verifier::VerifierStore;
 use crate::sub_agent::identity::AgentIdentity;
+use base64::Engine as _;
+use base64::prelude::BASE64_STANDARD;
 use serde::Deserialize;
 use std::path::PathBuf;
 use std::time::Duration;
@@ -212,8 +214,15 @@ impl RemoteConfigValidator for CompositeSignatureValidator {
 
         let config_content = opamp_remote_config
             .get_unique()
-            .map_err(|e| SignatureValidatorError::VerifySignature(e.to_string()))?
-            .as_bytes();
+            .map_err(|e| SignatureValidatorError::VerifySignature(e.to_string()))?;
+
+        // Actual implementation from FC side signs the Base64 representation of the SHA256 digest
+        // of the message (i.e. the remote configs). Hence, to verify the signature, we need to
+        // compute the SHA256 digest of the message, then Base64 encode it, and finally verify
+        // the signature against that.
+        let digest = ring::digest::digest(&ring::digest::SHA256, config_content.as_ref());
+        let digest_b64 = BASE64_STANDARD.encode(digest);
+        let msg = digest_b64.as_bytes();
 
         // Until backend migrates to new signature platform, the validation starts with the public key based,
         // and falls back to cert based in case of failure.
@@ -223,7 +232,7 @@ impl RemoteConfigValidator for CompositeSignatureValidator {
             match public_key_store.verify_signature(
                 signature.signature_algorithm(),
                 signature.key_id(),
-                config_content,
+                msg,
                 signature.signature(),
             ) {
                 Ok(()) => return Ok(()),
@@ -242,7 +251,7 @@ impl RemoteConfigValidator for CompositeSignatureValidator {
             .verify_signature(
                 signature.signature_algorithm(),
                 signature.key_id(),
-                config_content,
+                msg,
                 signature.signature(),
             )
             .map_err(|e| SignatureValidatorError::VerifySignature(e.to_string()))
@@ -668,8 +677,14 @@ pub mod tests {
         );
 
         let config = "value";
-
-        let encoded_signature = test_signer.encoded_signature(config);
+        // Actual implementation from FC side signs the Base64 representation of the SHA256 digest
+        // of the message (i.e. the remote configs). Hence, to verify the signature, we need to
+        // compute the SHA256 digest of the message, then Base64 encode it, and finally verify
+        // the signature against that.
+        let digest = ring::digest::digest(&ring::digest::SHA256, config.as_bytes());
+        let msg = BASE64_STANDARD.encode(digest);
+
+        let encoded_signature = test_signer.encoded_signature(&msg);
         let remote_config = OpampRemoteConfig::new(
             AgentID::AgentControl,
             Hash::from("test"),

agent-control/src/opamp/remote_config/validators/signature/verifier.rs

@@ -94,7 +94,7 @@ where
                 .fetch()
                 .map_err(|err| VerifierStoreError::Fetch(err.to_string()))?;
 
-            if !verifier.key_id().eq(key_id) {
+            if !verifier.key_id().eq_ignore_ascii_case(key_id) {
                 return Err(VerifierStoreError::KeyMismatch {
                     signature_key_id: key_id.to_string(),
                     certificate_key_id: verifier.key_id().to_string(),

agent-control/tests/common/opamp.rs

@@ -326,7 +326,14 @@ fn build_response(
             }),
         });
 
-        let signature = key_pair.sign(config.raw_body.as_bytes());
+        // Actual implementation from FC side signs the Base64 representation of the SHA256 digest
+        // of the message (i.e. the remote configs). Hence, to verify the signature, we need to
+        // compute the SHA256 digest of the message, then Base64 encode it, and finally verify
+        // the signature against that.
+        let digest = ring::digest::digest(&ring::digest::SHA256, config.raw_body.as_bytes());
+        let msg = BASE64_STANDARD.encode(digest);
+
+        let signature = key_pair.sign(msg.as_bytes());
 
         let custom_message_data = HashMap::from([(
             "fakeCRC".to_string(), //AC is not using the CRC.

agent-control/tests/on_host/tools/custom_agent_type.rs

@@ -117,14 +117,14 @@ impl CustomAgentType {
 
     pub fn with_health(self, health: Option<&str>) -> Self {
         Self {
-            health: health.map(|h| (serde_yaml::from_str(h).unwrap())),
+            health: health.map(|h| serde_yaml::from_str(h).unwrap()),
             ..self
         }
     }
 
     pub fn with_version(self, version: Option<&str>) -> Self {
         Self {
-            version: version.map(|v| (serde_yaml::from_str(v).unwrap())),
+            version: version.map(|v| serde_yaml::from_str(v).unwrap()),
             ..self
         }
     }