Skip to content

Commit

Permalink
fix: update the way secureboot signer fetches certificate (azure)
Browse files Browse the repository at this point in the history
The previous code was a mistake, the public part of the certificate is
more easily available.

Signed-off-by: Andrey Smirnov <[email protected]>
(cherry picked from commit 241bc93)
  • Loading branch information
smira committed Dec 21, 2023
1 parent 4caffd3 commit 2e99017
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 53 deletions.
1 change: 0 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ require (
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v1.0.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.0.1
github.com/BurntSushi/toml v1.3.2
github.com/aws/aws-sdk-go-v2/config v1.25.6
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.5
Expand Down
2 changes: 0 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,6 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v1.0.0 h1
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v1.0.0/go.mod h1:jYmTBxPYmbqUp5pCuTC58jMXVk/NxmqeYdoMbQGVUKo=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 h1:MyVTgWR8qd/Jw1Le0NZebGBUCLbtak3bJ3z1OlqZBpw=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1/go.mod h1:GpPjLhVR9dnUoJMyHWSPy71xY9/lcmpzIPZXmF0FCVY=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.0.1 h1:8TkzQBrN9PWIwo7ekdd696KpC6IfTltV2/F8qKKBWik=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.0.1/go.mod h1:aprFpXPQiTyG5Rkz6Ot5pvU6y6YKg/AKYOcLCoxN0bk=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI=
github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
Expand Down
10 changes: 0 additions & 10 deletions pkg/imager/profile/internal/signer/azure/azure.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ import (
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates"
"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys"
"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
)

type authenticationMethod string
Expand Down Expand Up @@ -162,12 +161,3 @@ func getCertsClient(vaultURL string) (*azcertificates.Client, error) {

return azcertificates.NewClient(vaultURL, credAndError.cred, nil)
}

func getSecretsClient(vaultURL string) (*azsecrets.Client, error) {
credAndError := azureCredentialsOnce()
if credAndError.err != nil {
return nil, credAndError.err
}

return azsecrets.NewClient(vaultURL, credAndError.cred, nil)
}
38 changes: 38 additions & 0 deletions pkg/imager/profile/internal/signer/azure/azure_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.

package azure_test

import (
"context"
"crypto/sha256"
"os"
"testing"

"github.com/stretchr/testify/require"

"github.com/siderolabs/talos/pkg/imager/profile/internal/signer/azure"
)

func TestIntegration(t *testing.T) {
for _, envVar := range []string{"AZURE_VAULT_URL", "AZURE_KEY_ID", "AZURE_CERT_ID", "AZURE_TENANT_ID", "AZURE_CLIENT_ID", "AZURE_CLIENT_SECRET"} {
if os.Getenv(envVar) == "" {
t.Skipf("%s not set", envVar)
}
}

signer, err := azure.NewPCRSigner(context.TODO(), os.Getenv("AZURE_VAULT_URL"), os.Getenv("AZURE_KEY_ID"), "")
require.NoError(t, err)

digest := sha256.Sum256(nil)

_, err = signer.Sign(nil, digest[:], nil)
require.NoError(t, err)

sbSigner, err := azure.NewSecureBootSigner(context.TODO(), os.Getenv("AZURE_VAULT_URL"), os.Getenv("AZURE_CERT_ID"), "")
require.NoError(t, err)

_, err = sbSigner.Signer().Sign(nil, digest[:], nil)
require.NoError(t, err)
}
42 changes: 2 additions & 40 deletions pkg/imager/profile/internal/signer/azure/secureboot.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,9 @@ import (
"context"
"crypto"
"crypto/x509"
"encoding/pem"
"fmt"

"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates"
"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
"github.com/siderolabs/go-pointer"

"github.com/siderolabs/talos/internal/pkg/secureboot/pesign"
Expand All @@ -38,8 +36,6 @@ func (s *SecureBootSigner) Certificate() *x509.Certificate {
}

// NewSecureBootSigner creates a new SecureBootSigner.
//
//nolint:gocyclo
func NewSecureBootSigner(ctx context.Context, vaultURL, certificateID, certificateVersion string) (*SecureBootSigner, error) {
certsClient, err := getCertsClient(vaultURL)
if err != nil {
Expand All @@ -51,43 +47,9 @@ func NewSecureBootSigner(ctx context.Context, vaultURL, certificateID, certifica
return nil, fmt.Errorf("failed to get certificate: %w", err)
}

// download the certificate from secrets storage by secret ID
secretsClient, err := getSecretsClient(vaultURL)
cert, err := x509.ParseCertificate(resp.CER)
if err != nil {
return nil, fmt.Errorf("failed to build Azure secrets client: %w", err)
}

SID := pointer.SafeDeref(resp.SID)

secretsResp, err := secretsClient.GetSecret(ctx, SID.Name(), SID.Version(), &azsecrets.GetSecretOptions{})
if err != nil {
return nil, fmt.Errorf("failed to fetch certificate secret: %w", err)
}

certData := []byte(pointer.SafeDeref(secretsResp.Value))

var cert *x509.Certificate

for {
var certBlock *pem.Block

certBlock, certData = pem.Decode(certData)
if certBlock == nil {
break
}

if certBlock.Type == "CERTIFICATE" {
cert, err = x509.ParseCertificate(certBlock.Bytes)
if err != nil {
return nil, fmt.Errorf("failed to parse certificate: %w", err)
}

break
}
}

if cert == nil {
return nil, fmt.Errorf("failed to decode certificate")
return nil, fmt.Errorf("failed to decode certificate: %w", err)
}

// initialize key signer via existing implementation
Expand Down

0 comments on commit 2e99017

Please sign in to comment.