Skip to content

Commit

Permalink
[signing] More signing automation
Browse files Browse the repository at this point in the history
Automate the offline portion of the signing procedure by providing a
JSON file of signing directives.  Rather than having to manually enter a
command line per file to sign, one can simply provide the json file to
the `exec` command:

```
hsmtool --profile earlgrey_a0 exec signing_directives.json
```

The signing directives file will contain a command specification for
each signable input provided to the `srcs` attribute of the
`offline_presigning_artifacts` rule.

Signed-off-by: Chris Frantz <[email protected]>
  • Loading branch information
cfrantz committed Jan 5, 2024
1 parent ae2a524 commit ee69e4f
Showing 1 changed file with 25 additions and 3 deletions.
28 changes: 25 additions & 3 deletions rules/signing.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ def _presigning_artifacts(ctx, opentitantool, src, manifest, rsa_key, spx_key, b
else:
basename = paths.replace_extension(basename, "")

signing_directives = []
pre = ctx.actions.declare_file("{}.pre-signing".format(basename))
inputs = [
src,
Expand Down Expand Up @@ -152,6 +153,15 @@ def _presigning_artifacts(ctx, opentitantool, src, manifest, rsa_key, spx_key, b
executable = opentitantool,
mnemonic = "PreSigningDigest",
)
signing_directives.append(struct(
command = "rsa-sign",
id = None,
label = rsa_key.name,
format = "Sha256Hash",
little_endian = True,
output = "{}.rsa_sig".format(basename),
input = "{}.digest".format(basename),
))

# Compute message to be signed with SPX+.
spxmsg = None
Expand All @@ -171,7 +181,10 @@ def _presigning_artifacts(ctx, opentitantool, src, manifest, rsa_key, spx_key, b
executable = opentitantool,
mnemonic = "PreSigningSpxMessage",
)
return struct(pre = pre, digest = digest, spxmsg = spxmsg)
# TODO(cfrantz): After adding SPX support to hsmtool, append an appropriate
# signing directive here.

return struct(pre = pre, digest = digest, spxmsg = spxmsg, script = signing_directives)

def _local_sign(ctx, tool, digest, rsa_key, spxmsg = None, spx_key = None, profile = None):
"""Sign a digest with a local on-disk RSA private key.
Expand Down Expand Up @@ -309,6 +322,7 @@ def _offline_presigning_artifacts(ctx):
spx_key = key_from_dict(ctx.attr.spx_key, "spx_key")
digests = []
bins = []
script = []
for src in get_binary_files(ctx.attr.srcs):
artifacts = _presigning_artifacts(
ctx,
Expand All @@ -320,12 +334,20 @@ def _offline_presigning_artifacts(ctx):
)
bins.append(artifacts.pre)
digests.append(artifacts.digest)
script.extend(artifacts.script)
if artifacts.spxmsg:
digests.append(artifacts.spxmsg)

default_files = digests
if script:
script_file = ctx.actions.declare_file("{}.json".format(ctx.attr.name))
ctx.actions.write(script_file, json.encode_indent(script, indent = " ") + "\n")
default_files.append(script_file)

return [
DefaultInfo(files = depset(digests), data_runfiles = ctx.runfiles(files = digests)),
DefaultInfo(files = depset(default_files), data_runfiles = ctx.runfiles(files = default_files)),
PreSigningBinaryInfo(files = depset(bins)),
OutputGroupInfo(digest = depset(digests), binary = depset(bins)),
OutputGroupInfo(digest = depset(digests), binary = depset(bins), script = depset([script_file])),
]

offline_presigning_artifacts = rule(
Expand Down

0 comments on commit ee69e4f

Please sign in to comment.