fix: code signature keyId API modification (#1013)

* fix: rename keyId field

* add algorithm

Author: gsanchezgavier

agent-control/src/opamp/callbacks.rs

@@ -496,7 +496,7 @@ pub(crate) mod tests {
                             "unique": [{
                                 "signature": "fake config",
                                 "signingAlgorithm": "ED25519",
-                                "keyID": "fake keyid"
+                                "keyId": "fake keyid"
                             }]
                         }"#
                         .as_bytes()
@@ -526,7 +526,7 @@ pub(crate) mod tests {
                             "unique": [{
                                 "signature": "fake config",
                                 "signingAlgorithm": "ED25519",
-                                "keyID": "fake keyid"
+                                "keyId": "fake keyid"
                             }]
                         }"#
                         .as_bytes()
@@ -552,7 +552,7 @@ pub(crate) mod tests {
                             "unique": [{
                                 "signature": "fake config",
                                 "signingAlgorithm": "ED25519",
-                                "keyID": "fake keyid"
+                                "keyId": "fake keyid"
                             }]
                         }"#
                         .as_bytes()

agent-control/src/opamp/remote_config/signature.rs

@@ -13,8 +13,9 @@ pub const SIGNATURE_CUSTOM_CAPABILITY: &str = "com.newrelic.security.configSigna
 pub const SIGNATURE_CUSTOM_MESSAGE_TYPE: &str = "newrelicRemoteConfigSignature";
 // Supported signature algorithms
 // RSA regex matching supported RSA signature algorithms, length between 2048 and 8192 bits
-pub const RSA_REGEX: &str = "RSA_PKCS1_([0-9]+)_SHA(256|512)";
+pub const RSA_REGEX: &str = "RSA_PKCS1_([0-9]+)_SHA(256|384|512)";
 pub const RSA_PKCS1_2048_8192_SHA256: &str = "RSA_PKCS1_2048_8192_SHA256";
+pub const RSA_PKCS1_2048_8192_SHA384: &str = "RSA_PKCS1_2048_8192_SHA384";
 pub const RSA_PKCS1_2048_8192_SHA512: &str = "RSA_PKCS1_2048_8192_SHA512";
 pub const ECDSA_P256_SHA256: &str = "ECDSA_P256_SHA256";
 pub const ECDSA_P256_SHA384: &str = "ECDSA_P256_SHA384";
@@ -32,6 +33,7 @@ fn rsa_regex() -> &'static Regex {
 #[allow(non_camel_case_types)]
 pub enum SigningAlgorithm {
     RSA_PKCS1_2048_8192_SHA256,
+    RSA_PKCS1_2048_8192_SHA384,
     RSA_PKCS1_2048_8192_SHA512,
     ECDSA_P256_SHA256,
     ECDSA_P256_SHA384,
@@ -64,6 +66,7 @@ impl AsRef<str> for SigningAlgorithm {
     fn as_ref(&self) -> &str {
         match self {
             SigningAlgorithm::RSA_PKCS1_2048_8192_SHA256 => RSA_PKCS1_2048_8192_SHA256,
+            SigningAlgorithm::RSA_PKCS1_2048_8192_SHA384 => RSA_PKCS1_2048_8192_SHA384,
             SigningAlgorithm::RSA_PKCS1_2048_8192_SHA512 => RSA_PKCS1_2048_8192_SHA512,
             SigningAlgorithm::ECDSA_P256_SHA256 => ECDSA_P256_SHA256,
             SigningAlgorithm::ECDSA_P256_SHA384 => ECDSA_P256_SHA384,
@@ -78,6 +81,7 @@ impl From<&SigningAlgorithm> for &SignatureAlgorithm {
     fn from(value: &SigningAlgorithm) -> Self {
         match value {
             SigningAlgorithm::RSA_PKCS1_2048_8192_SHA256 => &webpki::RSA_PKCS1_2048_8192_SHA256,
+            SigningAlgorithm::RSA_PKCS1_2048_8192_SHA384 => &webpki::RSA_PKCS1_2048_8192_SHA384,
             SigningAlgorithm::RSA_PKCS1_2048_8192_SHA512 => &webpki::RSA_PKCS1_2048_8192_SHA512,
             SigningAlgorithm::ECDSA_P256_SHA256 => &webpki::ECDSA_P256_SHA256,
             SigningAlgorithm::ECDSA_P256_SHA384 => &webpki::ECDSA_P256_SHA384,
@@ -105,6 +109,7 @@ fn parse_rsa_algorithm(algo: &str) -> Option<SigningAlgorithm> {
 
     match hash_bytes {
         b"256" => Some(SigningAlgorithm::RSA_PKCS1_2048_8192_SHA256),
+        b"384" => Some(SigningAlgorithm::RSA_PKCS1_2048_8192_SHA384),
         b"512" => Some(SigningAlgorithm::RSA_PKCS1_2048_8192_SHA512),
         _ => None,
     }
@@ -143,7 +148,7 @@ fn parse_rsa_algorithm(algo: &str) -> Option<SigningAlgorithm> {
 ///                 "signingAlgorithm": "RSA_PKCS1_2048_SHA256",
 ///                 "signatureSpecification": "PKCS #1 v2.2",
 ///                 "signingDomain": "iast-csec-se.test-poised-pear.cell.us.nr-data.net",
-///                 "keyID":  "778b223984d389ad6555bdbbbf118420290c53296b6511e1964309965ec5f710"
+///                 "keyId":  "778b223984d389ad6555bdbbbf118420290c53296b6511e1964309965ec5f710"
 ///           }]
 ///     }
 /// }
@@ -164,17 +169,17 @@ fn parse_rsa_algorithm(algo: &str) -> Option<SigningAlgorithm> {
 ///         {
 ///            "signature":  "some signature",
 ///            "signingAlgorithm": "UNSUPPORTED",
-///            "keyID":  "some key id"
+///            "keyId":  "some key id"
 ///         },
 ///         {
 ///            "signature":  "some signature",
 ///            "signingAlgorithm": "ED25519",
-///            "keyID":  "some key id"
+///            "keyId":  "some key id"
 ///         },
 ///         {
 ///            "signature":  "some signature",
 ///            "signingAlgorithm": "RSA_PKCS1_2048_SHA256",
-///            "keyID":  "some key id"
+///            "keyId":  "some key id"
 ///         }
 ///     ]
 /// }"#.as_bytes().to_vec();
@@ -236,16 +241,15 @@ impl<'de> Deserialize<'de> for Signatures {
 /// data before validation ([RawSignatureData], where the signing algorithm is a string) and after validation
 /// [SignatureData] (where the signing algorithm is represented by the [SigningAlgorithm] type).
 #[derive(Debug, Deserialize, Serialize, PartialEq, Clone)]
+#[serde(rename_all = "camelCase")]
 pub struct SignatureFields<A> {
     /// RemoteConfiguration signature on TLS's `DigitallySigned.signature` format encoded in base64.
     pub signature: String,
     /// Public key identifier.
-    #[serde(rename = "keyID")]
     pub key_id: String,
     /// Signing algorithm used the config:
     /// [ECDSA_P256_SHA256,ECDSA_P256_SHA384,ECDSA_P384_SHA256,ECDSA_P384_SHA384,RSA_PKCS1_[2048-8192]_SHA256,
     /// RSA_PKCS1_2048_8192_SHA384,RSA_PKCS1_2048_8192_SHA512,RSA_PKCS1_3072_8192_SHA384,ED25519]
-    #[serde(rename = "signingAlgorithm")]
     pub signing_algorithm: A,
 }
 
@@ -333,6 +337,7 @@ mod tests {
     use super::Signatures;
     use crate::opamp::remote_config::signature::SigningAlgorithm;
     use crate::opamp::remote_config::signature::ECDSA_P256_SHA256;
+    use crate::opamp::remote_config::signature::ECDSA_P256_SHA384;
     use crate::opamp::remote_config::signature::ED25519;
     use opamp_client::opamp::proto::CustomMessage;
     use std::collections::HashMap;
@@ -372,11 +377,14 @@ mod tests {
         struct TestCase {
             name: &'static str,
             custom_message: CustomMessage,
+            algorithm: SigningAlgorithm,
         }
         impl TestCase {
             fn run(self) {
-                let _ = Signatures::try_from(&self.custom_message)
+                let signatures = Signatures::try_from(&self.custom_message)
                     .unwrap_or_else(|err| panic!("case: {} - {}", self.name, err));
+                let (_, signature) = signatures.iter().next().unwrap();
+                assert_eq!(signature.signing_algorithm, self.algorithm);
             }
         }
         let test_cases = vec![
@@ -393,10 +401,11 @@ mod tests {
                                 "signingAlgorithm": "RSA_PKCS1_2048_SHA256",
                                 "signatureSpecification": "PKCS #1 v2.2",
                                 "signingDomain": "iast-csec-se.test-poised-pear.cell.us.nr-data.net",
-                                "keyID":  "778b223984d389ad6555bdbbbf118420290c53296b6511e1964309965ec5f710"
+                                "keyId":  "778b223984d389ad6555bdbbbf118420290c53296b6511e1964309965ec5f710"
                           }]
                     }"#.as_bytes().to_vec(),
                 },
+                algorithm: SigningAlgorithm::RSA_PKCS1_2048_8192_SHA256,
             },
             TestCase {
                 name: "required fields only, RSA_PKCS1_2048_SHA256",
@@ -407,10 +416,11 @@ mod tests {
                           "3936250589": [{
                                 "signature":  "fake",
                                 "signingAlgorithm": "RSA_PKCS1_2048_SHA256",
-                                "keyID":  "fake"
+                                "keyId":  "fake"
                           }]
                     }"#.as_bytes().to_vec(),
                 },
+                algorithm: SigningAlgorithm::RSA_PKCS1_2048_8192_SHA256,
             },
             TestCase {
                 name: "RSA_PKCS1_2048_SHA512",
@@ -421,10 +431,11 @@ mod tests {
                           "3936250589": [{
                                 "signature":  "fake",
                                 "signingAlgorithm": "RSA_PKCS1_2048_SHA512",
-                                "keyID":  "fake"
+                                "keyId":  "fake"
                           }]
                     }"#.as_bytes().to_vec(),
                 },
+                algorithm: SigningAlgorithm::RSA_PKCS1_2048_8192_SHA512,
             },
             TestCase {
                 name: "RSA_PKCS1_2049_SHA512",
@@ -435,10 +446,26 @@ mod tests {
                           "3936250589": [{
                                 "signature":  "fake",
                                 "signingAlgorithm": "RSA_PKCS1_2049_SHA512",
-                                "keyID":  "fake"
+                                "keyId":  "fake"
                           }]
                     }"#.as_bytes().to_vec(),
                 },
+                algorithm: SigningAlgorithm::RSA_PKCS1_2048_8192_SHA512,
+            },
+            TestCase {
+                name: "RSA_PKCS1_3072_SHA384",
+                custom_message: CustomMessage {
+                    capability: super::SIGNATURE_CUSTOM_CAPABILITY.to_string(),
+                    r#type: super::SIGNATURE_CUSTOM_MESSAGE_TYPE.to_string(),
+                    data: r#"{
+                          "3936250589": [{
+                                "signature":  "fake",
+                                "signingAlgorithm": "RSA_PKCS1_3072_SHA384",
+                                "keyId":  "fake"
+                          }]
+                    }"#.as_bytes().to_vec(),
+                },
+                algorithm: SigningAlgorithm::RSA_PKCS1_2048_8192_SHA384,
             },
             TestCase {
                 name: ECDSA_P256_SHA256,
@@ -449,10 +476,26 @@ mod tests {
                           "3936250589": [{
                                 "signature":  "fake",
                                 "signingAlgorithm": "ECDSA_P256_SHA256",
-                                "keyID":  "fake"
+                                "keyId":  "fake"
+                          }]
+                    }"#.as_bytes().to_vec(),
+                },
+                algorithm: SigningAlgorithm::ECDSA_P256_SHA256,
+            },
+            TestCase {
+                name: ECDSA_P256_SHA384,
+                custom_message: CustomMessage {
+                    capability: super::SIGNATURE_CUSTOM_CAPABILITY.to_string(),
+                    r#type: super::SIGNATURE_CUSTOM_MESSAGE_TYPE.to_string(),
+                    data: r#"{
+                          "3936250589": [{
+                                "signature":  "fake",
+                                "signingAlgorithm": "ECDSA_P256_SHA384",
+                                "keyId":  "fake"
                           }]
                     }"#.as_bytes().to_vec(),
                 },
+                algorithm: SigningAlgorithm::ECDSA_P256_SHA384,
             },
             TestCase {
                 name: ED25519,
@@ -463,10 +506,11 @@ mod tests {
                           "3936250589": [{
                                 "signature":  "fake",
                                 "signingAlgorithm": "ED25519",
-                                "keyID":  "fake"
+                                "keyId":  "fake"
                           }]
                     }"#.as_bytes().to_vec(),
                 },
+                algorithm: SigningAlgorithm::ED25519,
             },
             TestCase {
                 name: "Unsupported + ED25519",
@@ -478,16 +522,17 @@ mod tests {
                                 {
                                     "signature":  "fake",
                                     "signingAlgorithm": "unsupported",
-                                    "keyID":  "fake"
+                                    "keyId":  "fake"
                                 },
                                 {
                                     "signature":  "fake",
                                     "signingAlgorithm": "ED25519",
-                                    "keyID":  "fake"
+                                    "keyId":  "fake"
                                 }
                           ]
                     }"#.as_bytes().to_vec(),
                 },
+                algorithm: SigningAlgorithm::ED25519,
             },
 
         ];
@@ -507,17 +552,17 @@ mod tests {
                                 {
                                     "signature":  "fake",
                                     "signingAlgorithm": "unsupported",
-                                    "keyID":  "fake"
+                                    "keyId":  "fake"
                                 },
                                 {
                                     "signature":  "fake",
                                     "signingAlgorithm": "ED25519",
-                                    "keyID":  "fake"
+                                    "keyId":  "fake"
                                 },
                                 {
                                     "signature":  "fake",
                                     "signingAlgorithm": "ECDSA_P256_SHA256",
-                                    "keyID":  "fake"
+                                    "keyId":  "fake"
                                 }
                           ]
                     }"#
@@ -552,7 +597,7 @@ mod tests {
                           "3936250589": [{
                                 "signature":  "fake",
                                 "signingAlgorithm": "unknown",
-                                "keyID":  "fake"
+                                "keyId":  "fake"
                           }]
                     }"#
                     .as_bytes()
@@ -568,7 +613,7 @@ mod tests {
                           "3936250589": [{
                                 "signature":  "fake",
                                 "signingAlgorithm": "RSA_PKCS1_8193_SHA512",
-                                "keyID":  "fake"
+                                "keyId":  "fake"
                           }]
                     }"#
                     .as_bytes()
@@ -597,7 +642,7 @@ mod tests {
                           "config_id2": [{
                                 "signature":  "fake",
                                 "signingAlgorithm": "ED25519",
-                                "keyID":  "fake"
+                                "keyId":  "fake"
                           }]
                     }"#
                     .as_bytes()

agent-control/src/opamp/remote_config/validators/signature/certificate_store.rs

@@ -10,7 +10,7 @@ use tracing::log::error;
 pub enum CertificateStoreError {
     #[error("fetching certificate: `{0}`")]
     CertificateFetch(String),
-    #[error("signature keyID({signature_key_id}) does not match certificate keyID({certificate_key_id})")]
+    #[error("signature keyId({signature_key_id}) does not match certificate keyId({certificate_key_id})")]
     KeyMismatch {
         signature_key_id: String,
         certificate_key_id: String,

agent-control/src/opamp/remote_config/validators/signature/test_data/verify.sh

@@ -24,7 +24,7 @@
 #                         "signingAlgorithm": "RSA_PKCS1_2048_SHA256",
 #                         "signatureSpecification": "PKCS #1 v2.2",
 #                         "signingDomain": "iast-csec-se.test-poised-pear.cell.us.nr-data.net",
-#                         "keyID":  "778b223984d389ad6555bdbbbf118420290c53296b6511e1964309965ec5f710"
+#                         "keyId":  "778b223984d389ad6555bdbbbf118420290c53296b6511e1964309965ec5f710"
 #                   }]
 #             }
 #       }