Look for signing and validation keys in user and source directories

Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
2024-11-22 20:53:11 +00:00 · 2022-05-04 19:42:08 -04:00 · 2022-05-04 19:42:08 -04:00 · 0ec4461756
commit 0ec4461756
parent 29034b6b9d
3 changed files with 35 additions and 7 deletions
--- a/lib/inspec/exceptions.rb
+++ b/lib/inspec/exceptions.rb
@ -9,5 +9,6 @@ module Inspec
    class ResourceSkipped < StandardError; end
    class SecretsBackendNotFound < ArgumentError; end
    class ProfileValidationKeyNotFound < ArgumentError; end
+    class ProfileSigningKeyNotFound < ArgumentError; end
  end
 end
--- a/lib/inspec/iaf_file.rb
+++ b/lib/inspec/iaf_file.rb
@ -14,6 +14,30 @@ module Inspec
    VALID_PROFILE_VERSIONS = Set.new [INSPEC_PROFILE_VERSION_1, INSPEC_PROFILE_VERSION_2]
    VALID_PROFILE_DIGESTS = Set.new [ARTIFACT_DIGEST_NAME]

+    def self.find_validation_key(keyname)
+      [
+        ".",
+        File.join(Inspec.config_dir, "keys"),
+        File.join(Inspec.src_root, "etc", "keys"),
+      ].each do |path|
+        filename = File.join(path, "#{keyname}.pem.pub")
+        return filename if File.exist?(filename)
+      end
+
+      # TODO
+      # Check https://github.com/inspec/inspec/ and download to user keys directory
+
+      raise Inspec::Exceptions::ProfileValidationKeyNotFound.new("#{keyname} not found")
+    end
+
+    def self.find_signing_key(keyname)
+      [".", File.join(Inspec.config_dir, "keys")].each do |path|
+        filename = File.join(path, "#{keyname}.pem.key")
+        return filename if File.exist?(filename)
+      end
+      raise Inspec::Exceptions::ProfileSigningKeyNotFound.new("#{keyname} not found")
+    end
+
    def initialize(path)
      @path = path
    end
@ -54,15 +78,13 @@ module Inspec
        valid = false
      end

-      unless File.exist?("#{header[1]}.pem.pub")
-        raise Inspec::Exceptions::ProfileValidationKeyNotFound, "Profile validation key not found."
-      end
+      validation_key_path = Inspec::IafFile.find_validation_key(header[1])

      unless valid_header?(header)
        valid = false
      end

-      verification_key = KEY_ALG.new File.read "#{header[1]}.pem.pub"
+      verification_key = KEY_ALG.new File.read validation_key_path
      signature = Base64.decode64(header[3])
      digest = ARTIFACT_DIGEST.new
      unless verification_key.verify digest, signature, content
--- a/lib/plugins/inspec-sign/lib/inspec-sign/base.rb
+++ b/lib/plugins/inspec-sign/lib/inspec-sign/base.rb
@ -31,11 +31,15 @@ module InspecPlugins

      def self.keygen(options)
        key = KEY_ALG.new KEY_BITS
-        puts "Generating private key"
+
+        path = File.join(Inspec.config_dir, "keys")
+        FileUtils.mkdir_p(path)
+
+        puts "Generating signing key in #{path}/#{options["keyname"]}.pem.key"
        open "#{options["keyname"]}.pem.key", "w" do |io|
          io.write key.to_pem
        end
-        puts "Generating public key"
+        puts "Generating validation key in #{path}/#{options["keyname"]}.pem.pub"
        open "#{options["keyname"]}.pem.pub", "w" do |io|
          io.write key.public_key.to_pem
        end
@ -46,6 +50,7 @@ module InspecPlugins
        path_to_profile = options["profile"]

        puts "Signing #{options["profile"]} with key #{options["keyname"]}"
+        keypath = Inspec::IafFile.find_signing_key(options["keyname"])

        # Read name and version from metadata and use them to form the filename
        profile_md = artifact.read_profile_metadata(path_to_profile)
@ -58,7 +63,7 @@ module InspecPlugins
        FileUtils.rm(tarfile)

        # Generate the signature
-        signing_key = KEY_ALG.new File.read "#{options["keyname"]}.pem.key"
+        signing_key = KEY_ALG.new File.read keypath
        sha = ARTIFACT_DIGEST.new
        signature = signing_key.sign sha, tar_content
        # convert the signature to Base64