Fimeg/Redflag
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4c62de8d8be78bbff3e02b66db0728604c95c021
Redflag/aggregator-server/internal/api/handlers/verification.go
jpetree331 f97d4845af feat(security): A-1 Ed25519 key rotation + A-2 replay attack fixes 
Complete RedFlag codebase with two major security audit implementations.

== A-1: Ed25519 Key Rotation Support ==

Server:
- SignCommand sets SignedAt timestamp and KeyID on every signature
- signing_keys database table (migration 020) for multi-key rotation
- InitializePrimaryKey registers active key at startup
- /api/v1/public-keys endpoint for rotation-aware agents
- SigningKeyQueries for key lifecycle management

Agent:
- Key-ID-aware verification via CheckKeyRotation
- FetchAndCacheAllActiveKeys for rotation pre-caching
- Cache metadata with TTL and staleness fallback
- SecurityLogger events for key rotation and command signing

== A-2: Replay Attack Fixes (F-1 through F-7) ==

F-5 CRITICAL - RetryCommand now signs via signAndCreateCommand
F-1 HIGH     - v3 format: "{agent_id}:{cmd_id}:{type}:{hash}:{ts}"
F-7 HIGH     - Migration 026: expires_at column with partial index
F-6 HIGH     - GetPendingCommands/GetStuckCommands filter by expires_at
F-2 HIGH     - Agent-side executedIDs dedup map with cleanup
F-4 HIGH     - commandMaxAge reduced from 24h to 4h
F-3 CRITICAL - Old-format commands rejected after 48h via CreatedAt

Verification fixes: migration idempotency (ETHOS #4), log format
compliance (ETHOS #1), stale comments updated.

All 24 tests passing. Docker --no-cache build verified.
See docs/ for full audit reports and deviation log (DEV-001 to DEV-019).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 21:25:47 -04:00

137 lines
4.1 KiB
Go
Raw Blame History

package handlers
import (
"crypto/ed25519"
"encoding/hex"
"fmt"
"log"
"net/http"
"strings"
"github.com/Fimeg/RedFlag/aggregator-server/internal/database/queries"
"github.com/Fimeg/RedFlag/aggregator-server/internal/models"
"github.com/Fimeg/RedFlag/aggregator-server/internal/services"
"github.com/gin-gonic/gin"
)
// VerificationHandler handles signature verification requests
type VerificationHandler struct {
agentQueries *queries.AgentQueries
signingService *services.SigningService
}
// NewVerificationHandler creates a new verification handler
func NewVerificationHandler(aq *queries.AgentQueries, signingService *services.SigningService) *VerificationHandler {
return &VerificationHandler{
agentQueries: aq,
signingService: signingService,
}
}
// VerifySignature handles POST /api/v1/agents/:id/verify-signature
func (h *VerificationHandler) VerifySignature(c *gin.Context) {
var req models.SignatureVerificationRequest
if err := c.ShouldBindJSON(&req); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
// Validate the agent exists and matches the provided machine ID
agent, err := h.agentQueries.GetAgentByID(req.AgentID)
if err != nil {
c.JSON(http.StatusNotFound, gin.H{"error": "agent not found"})
return
}
// Verify machine ID matches
if agent.MachineID == nil || *agent.MachineID != req.MachineID {
c.JSON(http.StatusUnauthorized, gin.H{
"error": "machine ID mismatch",
"expected": agent.MachineID,
"received": req.MachineID,
})
return
}
// Verify public key fingerprint matches
if agent.PublicKeyFingerprint == nil || *agent.PublicKeyFingerprint != req.PublicKey {
c.JSON(http.StatusUnauthorized, gin.H{
"error": "public key fingerprint mismatch",
"expected": agent.PublicKeyFingerprint,
"received": req.PublicKey,
})
return
}
// Verify the signature
valid, err := h.verifyAgentSignature(req.BinaryPath, req.Signature)
if err != nil {
log.Printf("Signature verification failed for agent %s: %v", req.AgentID, err)
c.JSON(http.StatusInternalServerError, gin.H{
"error": "signature verification failed",
"details": err.Error(),
})
return
}
response := models.SignatureVerificationResponse{
Valid: valid,
AgentID: req.AgentID.String(),
MachineID: req.MachineID,
Fingerprint: req.PublicKey,
Message: "Signature verification completed",
}
if !valid {
response.Message = "Invalid signature - binary may be tampered with"
c.JSON(http.StatusUnauthorized, response)
return
}
c.JSON(http.StatusOK, response)
}
// verifyAgentSignature verifies the signature of an agent binary
func (h *VerificationHandler) verifyAgentSignature(binaryPath, signatureHex string) (bool, error) {
// Decode the signature
signature, err := hex.DecodeString(signatureHex)
if err != nil {
return false, fmt.Errorf("invalid signature format: %w", err)
}
if len(signature) != ed25519.SignatureSize {
return false, fmt.Errorf("invalid signature size: expected %d bytes, got %d", ed25519.SignatureSize, len(signature))
}
// Read the binary file
content, err := readFileContent(binaryPath)
if err != nil {
return false, fmt.Errorf("failed to read binary: %w", err)
}
// Verify using the signing service
valid, err := h.signingService.VerifySignature(content, signatureHex)
if err != nil {
return false, fmt.Errorf("verification failed: %w", err)
}
return valid, nil
}
// readFileContent reads file content safely
func readFileContent(filePath string) ([]byte, error) {
// Basic path validation to prevent directory traversal
if strings.Contains(filePath, "..") || strings.Contains(filePath, "~") {
return nil, fmt.Errorf("invalid file path")
}
// Only allow specific file patterns for security
if !strings.HasSuffix(filePath, "/redflag-agent") && !strings.HasSuffix(filePath, "/redflag-agent.exe") {
return nil, fmt.Errorf("invalid file type - only agent binaries are allowed")
}
// For security, we won't actually read files in this handler
// In a real implementation, this would verify the actual binary on the agent
// For now, we'll simulate the verification process
return []byte("simulated-binary-content"), nil
}
Reference in New Issue View Git Blame Copy Permalink