revert secure enclave key collection to keep out of 1.6.2 (#1649)

kolide · Mar 12, 2024 · 779a25f · 779a25f
1 parent ac0c687
commit 779a25f
Show file tree

Hide file tree

Showing 23 changed files with 86 additions and 894 deletions.
diff --git a/cmd/launcher/main.go b/cmd/launcher/main.go
@@ -159,8 +159,6 @@ func runSubcommands() error {
 		run = runDownloadOsquery
 	case "uninstall":
 		run = runUninstall
-	case "secure-enclave":
-		run = runSecureEnclave
 	default:
 		return fmt.Errorf("unknown subcommand %s", os.Args[1])
 	}

diff --git a/cmd/launcher/secure_enclave_darwin.go b/cmd/launcher/secure_enclave_darwin.go
diff --git a/cmd/launcher/secure_enclave_other.go b/cmd/launcher/secure_enclave_other.go
diff --git a/cmd/launcher/secure_enclave_test.go b/cmd/launcher/secure_enclave_test.go
diff --git a/ee/agent/keys.go b/ee/agent/keys.go
@@ -5,12 +5,12 @@ import (
 	"crypto"
 	"fmt"
 	"log/slog"
+	"runtime"
 	"time"
 
 	"github.com/kolide/launcher/ee/agent/keys"
 	"github.com/kolide/launcher/ee/agent/types"
 	"github.com/kolide/launcher/pkg/backoff"
-	"github.com/kolide/launcher/pkg/traces"
 )
 
 type keyInt interface {
@@ -29,10 +29,7 @@ func LocalDbKeys() keyInt {
 	return localDbKeys
 }
 
-func SetupKeys(ctx context.Context, slogger *slog.Logger, store types.GetterSetterDeleter, skipHardwareKeys bool) error {
-	ctx, span := traces.StartSpan(ctx)
-	defer span.End()
-
+func SetupKeys(slogger *slog.Logger, store types.GetterSetterDeleter) error {
 	slogger = slogger.With("component", "agentkeys")
 
 	var err error
@@ -43,12 +40,13 @@ func SetupKeys(ctx context.Context, slogger *slog.Logger, store types.GetterSett
 		return fmt.Errorf("setting up local db keys: %w", err)
 	}
 
-	if skipHardwareKeys {
+	// Secure Enclave is not currently supported, so don't spend startup time waiting for it to work -- see keys_darwin.go for more details.
+	if runtime.GOOS == "darwin" {
 		return nil
 	}
 
 	err = backoff.WaitFor(func() error {
-		hwKeys, err := setupHardwareKeys(ctx, slogger, store)
+		hwKeys, err := setupHardwareKeys(slogger, store)
 		if err != nil {
 			return err
 		}

diff --git a/ee/agent/keys_darwin.go b/ee/agent/keys_darwin.go
@@ -4,24 +4,46 @@
 package agent
 
 import (
-	"context"
-	"fmt"
+	"errors"
 	"log/slog"
 
 	"github.com/kolide/launcher/ee/agent/types"
-	"github.com/kolide/launcher/ee/secureenclavesigner"
-	"github.com/kolide/launcher/pkg/traces"
 )
 
-func setupHardwareKeys(ctx context.Context, slogger *slog.Logger, store types.GetterSetterDeleter) (keyInt, error) {
-	ctx, span := traces.StartSpan(ctx)
-	defer span.End()
+// nolint:unused
+func setupHardwareKeys(slogger *slog.Logger, store types.GetterSetterDeleter) (keyInt, error) {
+	// We're seeing issues where launcher hangs (and does not complete startup) on the
+	// Sonoma Beta 2 release when trying to interact with the secure enclave below, on
+	// CreateKey. Since we don't expect this to work at the moment anyway, we are
+	// short-circuiting and returning early for now.
+	return nil, errors.New("secure enclave is not currently supported")
 
-	ses, err := secureenclavesigner.New(ctx, slogger, store)
-	if err != nil {
-		traces.SetError(span, fmt.Errorf("creating secureenclave signer: %w", err))
-		return nil, fmt.Errorf("creating secureenclave signer: %w", err)
-	}
+	/*
+		_, pubData, err := fetchKeyData(store)
+		if err != nil {
+			return nil, err
+		}
 
-	return ses, nil
+		if pubData == nil {
+			level.Info(logger).Log("msg", "Generating new keys")
+
+			var err error
+			pubData, err = secureenclave.CreateKey()
+			if err != nil {
+				return nil, fmt.Errorf("creating key: %w", err)
+			}
+
+			if err := storeKeyData(store, nil, pubData); err != nil {
+				clearKeyData(logger, store)
+				return nil, fmt.Errorf("storing key: %w", err)
+			}
+		}
+
+		k, err := secureenclave.New(pubData)
+		if err != nil {
+			return nil, fmt.Errorf("creating secureenclave signer: %w", err)
+		}
+
+		return k, nil
+	*/
 }
diff --git a/ee/agent/keys_tpm.go b/ee/agent/keys_tpm.go
@@ -10,13 +10,10 @@ import (
 
 	"github.com/kolide/krypto/pkg/tpm"
 	"github.com/kolide/launcher/ee/agent/types"
-	"github.com/kolide/launcher/pkg/traces"
 )
 
-func setupHardwareKeys(ctx context.Context, slogger *slog.Logger, store types.GetterSetterDeleter) (keyInt, error) {
-	_, span := traces.StartSpan(ctx)
-	defer span.End()
-
+// nolint:unused
+func setupHardwareKeys(slogger *slog.Logger, store types.GetterSetterDeleter) (keyInt, error) {
 	priData, pubData, err := fetchKeyData(store)
 	if err != nil {
 		return nil, err
@@ -31,24 +28,17 @@ func setupHardwareKeys(ctx context.Context, slogger *slog.Logger, store types.Ge
 		priData, pubData, err = tpm.CreateKey()
 		if err != nil {
 			clearKeyData(slogger, store)
-			traces.SetError(span, fmt.Errorf("creating key: %w", err))
 			return nil, fmt.Errorf("creating key: %w", err)
 		}
 
-		span.AddEvent("new_key_created")
-
 		if err := storeKeyData(store, priData, pubData); err != nil {
 			clearKeyData(slogger, store)
-			traces.SetError(span, fmt.Errorf("storing key: %w", err))
 			return nil, fmt.Errorf("storing key: %w", err)
 		}
-
-		span.AddEvent("new_key_stored")
 	}
 
 	k, err := tpm.New(priData, pubData)
 	if err != nil {
-		traces.SetError(span, fmt.Errorf("creating tpm signer: from new key: %w", err))
 		return nil, fmt.Errorf("creating tpm signer: from new key: %w", err)
 	}
 

diff --git a/ee/control/client_http.go b/ee/control/client_http.go
@@ -11,7 +11,6 @@ import (
 	"io"
 	"net/http"
 	"net/url"
-	"runtime"
 	"time"
 
 	"github.com/kolide/krypto/pkg/echelper"
@@ -98,9 +97,7 @@ func (c *HTTPClient) GetConfig() (io.Reader, error) {
 
 	// Calculate second signature if available
 	hardwareKeys := agent.HardwareKeys()
-
-	// hardware signing is not implemented for darwin
-	if runtime.GOOS != "darwin" && hardwareKeys.Public() != nil {
+	if hardwareKeys.Public() != nil {
 		key2, err := echelper.PublicEcdsaToB64Der(hardwareKeys.Public().(*ecdsa.PublicKey))
 		if err != nil {
 			return nil, fmt.Errorf("could not get key header from hardware keys: %w", err)