From 3140b06cf0b9c76dc8104512b96f8eb4dec6b21a Mon Sep 17 00:00:00 2001 From: Matteo Suppo Date: Thu, 25 Feb 2016 12:24:58 +0100 Subject: [PATCH 1/4] Check for signature of commandline Read the commandline.pub key and throw error if the signature of commandline is invalid. Need to update the webide to generate the signature --- conn.go | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/conn.go b/conn.go index 4989ebd6a..10cd0b1fc 100644 --- a/conn.go +++ b/conn.go @@ -3,6 +3,12 @@ package main import ( + "crypto" + "crypto/rsa" + "crypto/sha256" + "crypto/x509" + "encoding/pem" + "io/ioutil" "net/http" "strconv" @@ -61,6 +67,22 @@ func uploadHandler(c *gin.Context) { if commandline == "undefined" { commandline = "" } + + signature := c.PostForm("signature") + if signature == "" { + c.String(http.StatusBadRequest, "signature is required") + log.Error("signature is required") + return + } + + err := verifyCommandLine(commandline, signature) + + if err != nil { + c.String(http.StatusBadRequest, "signature is invalid") + log.Error("signature is invalid") + return + } + extraInfo.use_1200bps_touch, _ = strconv.ParseBool(c.PostForm("use_1200bps_touch")) extraInfo.wait_for_upload_port, _ = strconv.ParseBool(c.PostForm("wait_for_upload_port")) extraInfo.networkPort, _ = strconv.ParseBool(c.PostForm("network")) @@ -90,6 +112,24 @@ func uploadHandler(c *gin.Context) { } } +func verifyCommandLine(input string, signature string) error { + publicKey, err := ioutil.ReadFile("commandline.pub") + if err != nil { + return err + } + + block, _ := pem.Decode(publicKey) + key, err := x509.ParsePKIXPublicKey(block.Bytes) + if err != nil { + return err + } + rsaKey := key.(*rsa.PublicKey) + h := sha256.New() + h.Write([]byte(input)) + d := h.Sum(nil) + return rsa.VerifyPKCS1v15(rsaKey, crypto.SHA256, d, []byte(signature)) +} + func wsHandler() *WsServer { server, err := socketio.NewServer(nil) if err != nil { From 2b61f1f09c72f2b4619d20d87f7262e068314d2f Mon Sep 17 00:00:00 2001 From: Matteo Suppo Date: Thu, 25 Feb 2016 14:25:51 +0100 Subject: [PATCH 2/4] Put publicKey in config --- conn.go | 15 ++++++++------- main.go | 1 + 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/conn.go b/conn.go index 10cd0b1fc..f8ce768e1 100644 --- a/conn.go +++ b/conn.go @@ -7,8 +7,9 @@ import ( "crypto/rsa" "crypto/sha256" "crypto/x509" + "encoding/hex" "encoding/pem" - "io/ioutil" + "errors" "net/http" "strconv" @@ -80,6 +81,7 @@ func uploadHandler(c *gin.Context) { if err != nil { c.String(http.StatusBadRequest, "signature is invalid") log.Error("signature is invalid") + log.Error(err) return } @@ -113,12 +115,11 @@ func uploadHandler(c *gin.Context) { } func verifyCommandLine(input string, signature string) error { - publicKey, err := ioutil.ReadFile("commandline.pub") - if err != nil { - return err + sign, _ := hex.DecodeString(signature) + block, _ := pem.Decode([]byte(*signatureKey)) + if block == nil { + return errors.New("invalid key") } - - block, _ := pem.Decode(publicKey) key, err := x509.ParsePKIXPublicKey(block.Bytes) if err != nil { return err @@ -127,7 +128,7 @@ func verifyCommandLine(input string, signature string) error { h := sha256.New() h.Write([]byte(input)) d := h.Sum(nil) - return rsa.VerifyPKCS1v15(rsaKey, crypto.SHA256, d, []byte(signature)) + return rsa.VerifyPKCS1v15(rsaKey, crypto.SHA256, d, sign) } func wsHandler() *WsServer { diff --git a/main.go b/main.go index 9cc38346d..8b779a615 100755 --- a/main.go +++ b/main.go @@ -45,6 +45,7 @@ var ( port string portSSL string origins = flag.String("origins", "", "Allowed origin list for CORS") + signatureKey = flag.String("signatureKey", "", "Pem-encoded public key to verify signed commandlines") ) type NullWriter int From 7d54beefe406cf1ee19893e3a93d5d59442d69cc Mon Sep 17 00:00:00 2001 From: Matteo Suppo Date: Fri, 26 Feb 2016 13:19:42 +0100 Subject: [PATCH 3/4] Only listen to localhost by default --- main.go | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/main.go b/main.go index 8b779a615..ac36b0562 100755 --- a/main.go +++ b/main.go @@ -46,6 +46,7 @@ var ( portSSL string origins = flag.String("origins", "", "Allowed origin list for CORS") signatureKey = flag.String("signatureKey", "", "Pem-encoded public key to verify signed commandlines") + address = flag.String("address", "127.0.0.1", "The address where to listen. Defaults to localhost") ) type NullWriter int @@ -258,12 +259,11 @@ func main() { for i < end { i = i + 1 portSSL = ":" + strconv.Itoa(i) - if err := r.RunTLS(portSSL, filepath.Join(dest, "cert.pem"), filepath.Join(dest, "key.pem")); err != nil { + if err := r.RunTLS(*address+portSSL, filepath.Join(dest, "cert.pem"), filepath.Join(dest, "key.pem")); err != nil { log.Printf("Error trying to bind to port: %v, so exiting...", err) continue } else { - ip := "0.0.0.0" - log.Print("Starting server and websocket (SSL) on " + ip + "" + port) + log.Print("Starting server and websocket (SSL) on " + *address + "" + port) break } } @@ -276,12 +276,11 @@ func main() { for i < end { i = i + 1 port = ":" + strconv.Itoa(i) - if err := r.Run(port); err != nil { + if err := r.Run(*address + port); err != nil { log.Printf("Error trying to bind to port: %v, so exiting...", err) continue } else { - ip := "0.0.0.0" - log.Print("Starting server and websocket on " + ip + "" + port) + log.Print("Starting server and websocket on " + *address + "" + port) break } } From 9013af9ac80dc40229893af2b32cb35f61f58a78 Mon Sep 17 00:00:00 2001 From: Matteo Suppo Date: Fri, 15 Apr 2016 11:38:24 +0200 Subject: [PATCH 4/4] Add the default public key as a default --- main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.go b/main.go index ac36b0562..95943850f 100755 --- a/main.go +++ b/main.go @@ -45,7 +45,7 @@ var ( port string portSSL string origins = flag.String("origins", "", "Allowed origin list for CORS") - signatureKey = flag.String("signatureKey", "", "Pem-encoded public key to verify signed commandlines") + signatureKey = flag.String("signatureKey", "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvc0yZr1yUSen7qmE3cxF\nIE12rCksDnqR+Hp7o0nGi9123eCSFcJ7CkIRC8F+8JMhgI3zNqn4cUEn47I3RKD1\nZChPUCMiJCvbLbloxfdJrUi7gcSgUXrlKQStOKF5Iz7xv1M4XOP3JtjXLGo3EnJ1\npFgdWTOyoSrA8/w1rck4c/ISXZSinVAggPxmLwVEAAln6Itj6giIZHKvA2fL2o8z\nCeK057Lu8X6u2CG8tRWSQzVoKIQw/PKK6CNXCAy8vo4EkXudRutnEYHEJlPkVgPn\n2qP06GI+I+9zKE37iqj0k1/wFaCVXHXIvn06YrmjQw6I0dDj/60Wvi500FuRVpn9\ntwIDAQAB\n-----END PUBLIC KEY-----", "Pem-encoded public key to verify signed commandlines") address = flag.String("address", "127.0.0.1", "The address where to listen. Defaults to localhost") )