Add signature verification to V2 tool install endpoint (#826)

* modify examples

* add signature

* goa gen github.com/arduino/arduino-create-agent/design

* make signatureKey global

* move `verifyCommandLine` to utilities package

* implement signature verification in case of tool install with URL

The endpoint affected is `/v2/pkgs/tools/installed`.
If the signature is invalid the endpoint returns 500 with "rsa verification error"
If the signature is not present we try to install the tool using "name, version, packager" arguments

* use subtests and add test cases

conn.go

@@ -19,14 +19,7 @@ package main
 
 import (
 	"bytes"
-	"crypto"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/hex"
 	"encoding/json"
-	"encoding/pem"
-	"errors"
 	"fmt"
 	"net/http"
 	"os"
@@ -114,7 +107,7 @@ func uploadHandler(c *gin.Context) {
 			return
 		}
 
-		err := verifyCommandLine(data.Commandline, data.Signature)
+		err := utilities.VerifyInput(data.Commandline, data.Signature)
 
 		if err != nil {
 			c.String(http.StatusBadRequest, "signature is invalid")
@@ -219,23 +212,6 @@ func send(args map[string]string) {
 	h.broadcastSys <- mapB
 }
 
-func verifyCommandLine(input string, signature string) error {
-	sign, _ := hex.DecodeString(signature)
-	block, _ := pem.Decode([]byte(*signatureKey))
-	if block == nil {
-		return errors.New("invalid key")
-	}
-	key, err := x509.ParsePKIXPublicKey(block.Bytes)
-	if err != nil {
-		return err
-	}
-	rsaKey := key.(*rsa.PublicKey)
-	h := sha256.New()
-	h.Write([]byte(input))
-	d := h.Sum(nil)
-	return rsa.VerifyPKCS1v15(rsaKey, crypto.SHA256, d, sign)
-}
-
 func wsHandler() *WsServer {
 	server, err := socketio.NewServer(nil)
 	if err != nil {

design/pkgs.go

@@ -110,20 +110,29 @@ var ToolPayload = Type("arduino.tool", func() {
 	TypeName("ToolPayload")
 
 	Attribute("name", String, "The name of the tool", func() {
-		Example("avrdude")
+		Example("bossac")
 	})
 	Attribute("version", String, "The version of the tool", func() {
-		Example("6.3.0-arduino9")
+		Example("1.7.0-arduino3")
 	})
 	Attribute("packager", String, "The packager of the tool", func() {
 		Example("arduino")
 	})
 
 	Attribute("url", String, `The url where the package can be found. Optional. 
-	If present checksum must also be present.`)
+	If present checksum must also be present.`, func() {
+		Example("http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz")
+	})
 
 	Attribute("checksum", String, `A checksum of the archive. Mandatory when url is present. 
-	This ensures that the package is downloaded correcly.`)
+	This ensures that the package is downloaded correcly.`, func() {
+		Example("SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100")
+	})
+
+	Attribute("signature", String, `The signature used to sign the url. Mandatory when url is present.
+	This ensure the security of the file downloaded`, func() {
+		Example("382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0")
+	})
 
 	Required("name", "version", "packager")
 })

gen/http/openapi.yaml

@@ -26,7 +26,7 @@ paths:
                         type: array
                         items:
                             type: string
-                            example: Repudiandae dignissimos consectetur eos molestiae culpa soluta.
+                            example: Pariatur laudantium inventore qui.
                 "400":
                     description: Bad Request response.
                     schema:
@@ -193,14 +193,14 @@ definitions:
             timeout:
                 type: boolean
                 description: Is the error a timeout?
-                example: false
+                example: true
         description: url invalid (default view)
         example:
             fault: false
             id: 123abc
             message: parameter 'p' must be an integer
             name: bad_request
-            temporary: false
+            temporary: true
             timeout: false
         required:
             - name
@@ -241,7 +241,7 @@ definitions:
             fault:
                 type: boolean
                 description: Is the error a server-side fault?
-                example: true
+                example: false
             id:
                 type: string
                 description: ID is a unique identifier for this particular occurrence of the problem.
@@ -261,14 +261,14 @@ definitions:
             timeout:
                 type: boolean
                 description: Is the error a timeout?
-                example: false
+                example: true
         description: url invalid (default view)
         example:
-            fault: true
+            fault: false
             id: 123abc
             message: parameter 'p' must be an integer
             name: bad_request
-            temporary: true
+            temporary: false
             timeout: true
         required:
             - name
@@ -284,7 +284,7 @@ definitions:
             fault:
                 type: boolean
                 description: Is the error a server-side fault?
-                example: false
+                example: true
             id:
                 type: string
                 description: ID is a unique identifier for this particular occurrence of the problem.
@@ -300,19 +300,19 @@ definitions:
             temporary:
                 type: boolean
                 description: Is the error temporary?
-                example: true
+                example: false
             timeout:
                 type: boolean
                 description: Is the error a timeout?
-                example: true
+                example: false
         description: url invalid (default view)
         example:
-            fault: false
+            fault: true
             id: 123abc
             message: parameter 'p' must be an integer
             name: bad_request
             temporary: true
-            timeout: false
+            timeout: true
         required:
             - name
             - id
@@ -352,20 +352,20 @@ definitions:
             name:
                 type: string
                 description: The name of the tool
-                example: avrdude
+                example: bossac
             packager:
                 type: string
                 description: The packager of the tool
                 example: arduino
             version:
                 type: string
                 description: The version of the tool
-                example: 6.3.0-arduino9
+                example: 1.7.0-arduino3
         description: A tool is an executable program that can upload sketches. (default view)
         example:
-            name: avrdude
+            name: bossac
             packager: arduino
-            version: 6.3.0-arduino9
+            version: 1.7.0-arduino3
         required:
             - name
             - version
@@ -377,29 +377,36 @@ definitions:
             checksum:
                 type: string
                 description: "A checksum of the archive. Mandatory when url is present. \n\tThis ensures that the package is downloaded correcly."
-                example: Totam cum inventore exercitationem in.
+                example: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
             name:
                 type: string
                 description: The name of the tool
-                example: avrdude
+                example: bossac
             packager:
                 type: string
                 description: The packager of the tool
                 example: arduino
+            signature:
+                type: string
+                description: |-
+                    The signature used to sign the url. Mandatory when url is present.
+                    	This ensure the security of the file downloaded
+                example: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
             url:
                 type: string
                 description: "The url where the package can be found. Optional. \n\tIf present checksum must also be present."
-                example: Totam vero ipsum corporis nihil voluptatem id.
+                example: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
             version:
                 type: string
                 description: The version of the tool
-                example: 6.3.0-arduino9
+                example: 1.7.0-arduino3
         example:
-            checksum: Modi dolorem reprehenderit perspiciatis illo aspernatur.
-            name: avrdude
+            checksum: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
+            name: bossac
             packager: arduino
-            url: Officia optio inventore atque in voluptatibus qui.
-            version: 6.3.0-arduino9
+            signature: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
+            url: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
+            version: 1.7.0-arduino3
         required:
             - name
             - version
@@ -424,14 +431,21 @@ definitions:
             checksum:
                 type: string
                 description: "A checksum of the archive. Mandatory when url is present. \n\tThis ensures that the package is downloaded correcly."
-                example: Et qui id et cumque illo.
+                example: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
+            signature:
+                type: string
+                description: |-
+                    The signature used to sign the url. Mandatory when url is present.
+                    	This ensure the security of the file downloaded
+                example: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
             url:
                 type: string
                 description: "The url where the package can be found. Optional. \n\tIf present checksum must also be present."
-                example: Officia maiores reiciendis est nemo.
+                example: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
         example:
-            checksum: Corporis eum et numquam sapiente.
-            url: Est voluptatem eos reprehenderit quo sint quod.
+            checksum: SHA-256:1ae54999c1f97234a5c603eb99ad39313b11746a4ca517269a9285afa05f9100
+            signature: 382898a97b5a86edd74208f10107d2fecbf7059ffe9cc856e045266fb4db4e98802728a0859cfdcda1c0b9075ec01e42dbea1f430b813530d5a6ae1766dfbba64c3e689b59758062dc2ab2e32b2a3491dc2b9a80b9cda4ae514fbe0ec5af210111b6896976053ab76bac55bcecfcececa68adfa3299e3cde6b7f117b3552a7d80ca419374bb497e3c3f12b640cf5b20875416b45e662fc6150b99b178f8e41d6982b4c0a255925ea39773683f9aa9201dc5768b6fc857c87ff602b6a93452a541b8ec10ca07f166e61a9e9d91f0a6090bd2038ed4427af6251039fb9fe8eb62ec30d7b0f3df38bc9de7204dec478fb86f8eb3f71543710790ee169dce039d3e0
+            url: http://downloads.arduino.cc/tools/bossac-1.7.0-arduino3-linux64.tar.gz
     ToolsRemoveResponseBody:
         title: 'Mediatype identifier: application/vnd.arduino.operation; view=default'
         type: object
@@ -452,9 +466,15 @@ definitions:
             $ref: '#/definitions/ToolResponse'
         description: AvailableResponseBody is the result type for an array of ToolResponse (default view)
         example:
-            - name: avrdude
+            - name: bossac
+              packager: arduino
+              version: 1.7.0-arduino3
+            - name: bossac
+              packager: arduino
+              version: 1.7.0-arduino3
+            - name: bossac
               packager: arduino
-              version: 6.3.0-arduino9
-            - name: avrdude
+              version: 1.7.0-arduino3
+            - name: bossac
               packager: arduino
-              version: 6.3.0-arduino9
+              version: 1.7.0-arduino3