fleet/pkg/fleethttpsig/fleethttpsig.go

// Package fleethttpsig is a common package to use by Fleet client and servers for HTTP signing/verification.
package fleethttpsig

import (
	"crypto"
	"crypto/ecdsa"

	"github.com/remitly-oss/httpsig-go"
)

var (
	// requiredFields specifies the required fields in HTTP signed requests.
	// We are not using @target-uri in the signature so that we don't run into issues with HTTPS forwarding and proxies (http vs https).
	requiredFields = httpsig.Fields("@method", "@authority", "@path", "@query", "content-digest")

	requiredMetadata = []httpsig.Metadata{httpsig.MetaKeyID, httpsig.MetaCreated, httpsig.MetaNonce}
)

// Verifier returns a *httpsig.Verified configured for verifying signed HTTP requests from Fleet clients.
func Verifier(kf httpsig.KeyFetcher) (*httpsig.Verifier, error) {
	return httpsig.NewVerifier(kf, httpsig.VerifyProfile{
		SignatureLabel:    httpsig.DefaultSignatureLabel,
		AllowedAlgorithms: []httpsig.Algorithm{httpsig.Algo_ECDSA_P256_SHA256, httpsig.Algo_ECDSA_P384_SHA384},
		RequiredFields:    requiredFields,
		RequiredMetadata:  requiredMetadata,
		// The algorithm should be looked up from the keyid not an explicit setting.
		DisallowedMetadata: []httpsig.Metadata{httpsig.MetaAlgorithm},
	})
}

// Signer returns a *httpsig.Signer to sign HTTP requests to a Fleet server.
// It handles both regular ECDSA keys and TPM-backed signers.
func Signer(metaKeyID string, signer crypto.Signer, signingAlgorithm httpsig.Algorithm) (*httpsig.Signer, error) {
	signingKey := httpsig.SigningKey{
		MetaKeyID: metaKeyID,
	}
	if _, ok := signer.(*ecdsa.PrivateKey); ok {
		signingKey.Key = signer
	} else {
		// TPM or other hardware-backed signer
		signingKey.Opts = httpsig.SigningKeyOpts{
			Signer: signer,
		}
	}
	return httpsig.NewSigner(httpsig.SigningProfile{
		Algorithm: signingAlgorithm,
		Fields:    requiredFields,
		Metadata:  requiredMetadata,
	}, signingKey)
}
fleetd generate TPM key and issue SCEP certificate (#30932) #30461 This PR contains the changes for the happy path. On a separate PR we will be adding tests and further fixes for edge cases. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Added/updated automated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added support for using a TPM-backed key and SCEP-issued certificate to sign HTTP requests, enhancing security through hardware-based key management. * Introduced new CLI and environment flags to enable TPM-backed client certificates for Linux packages and Orbit. * Added a local HTTPS proxy that automatically signs requests using the TPM-backed key. * Bug Fixes * Improved cleanup and restart behavior when authentication fails with a host identity certificate. * Tests * Added comprehensive tests for SCEP client functionality and TPM integration. * Chores * Updated scripts and documentation to support TPM-backed client certificate packaging and configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-18 14:31:52 +00:00			`// Package fleethttpsig is a common package to use by Fleet client and servers for HTTP signing/verification.`
			`package fleethttpsig`

			`import (`
			`"crypto"`
Updated httpsig-go library to 1.2.0 and removed vendored version. (#32426) Fixes #32393 httpsig-go library has encorporated the changes needed to support TPM, so we are removing our local version of this library. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) 2025-08-28 19:28:30 +00:00			`"crypto/ecdsa"`
fleetd generate TPM key and issue SCEP certificate (#30932) #30461 This PR contains the changes for the happy path. On a separate PR we will be adding tests and further fixes for edge cases. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Added/updated automated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added support for using a TPM-backed key and SCEP-issued certificate to sign HTTP requests, enhancing security through hardware-based key management. * Introduced new CLI and environment flags to enable TPM-backed client certificates for Linux packages and Orbit. * Added a local HTTPS proxy that automatically signs requests using the TPM-backed key. * Bug Fixes * Improved cleanup and restart behavior when authentication fails with a host identity certificate. * Tests * Added comprehensive tests for SCEP client functionality and TPM integration. * Chores * Updated scripts and documentation to support TPM-backed client certificate packaging and configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-18 14:31:52 +00:00
			`"github.com/remitly-oss/httpsig-go"`
			`)`

			`var (`
			`// requiredFields specifies the required fields in HTTP signed requests.`
			`// We are not using @target-uri in the signature so that we don't run into issues with HTTPS forwarding and proxies (http vs https).`
			`requiredFields = httpsig.Fields("@method", "@authority", "@path", "@query", "content-digest")`

			`requiredMetadata = []httpsig.Metadata{httpsig.MetaKeyID, httpsig.MetaCreated, httpsig.MetaNonce}`
			`)`

			`// Verifier returns a *httpsig.Verified configured for verifying signed HTTP requests from Fleet clients.`
			`func Verifier(kf httpsig.KeyFetcher) (*httpsig.Verifier, error) {`
			`return httpsig.NewVerifier(kf, httpsig.VerifyProfile{`
			`SignatureLabel: httpsig.DefaultSignatureLabel,`
			`AllowedAlgorithms: []httpsig.Algorithm{httpsig.Algo_ECDSA_P256_SHA256, httpsig.Algo_ECDSA_P384_SHA384},`
			`RequiredFields: requiredFields,`
			`RequiredMetadata: requiredMetadata,`
			`// The algorithm should be looked up from the keyid not an explicit setting.`
			`DisallowedMetadata: []httpsig.Metadata{httpsig.MetaAlgorithm},`
			`})`
			`}`

			`// Signer returns a *httpsig.Signer to sign HTTP requests to a Fleet server.`
Updated httpsig-go library to 1.2.0 and removed vendored version. (#32426) Fixes #32393 httpsig-go library has encorporated the changes needed to support TPM, so we are removing our local version of this library. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) 2025-08-28 19:28:30 +00:00			`// It handles both regular ECDSA keys and TPM-backed signers.`
fleetd generate TPM key and issue SCEP certificate (#30932) #30461 This PR contains the changes for the happy path. On a separate PR we will be adding tests and further fixes for edge cases. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Added/updated automated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added support for using a TPM-backed key and SCEP-issued certificate to sign HTTP requests, enhancing security through hardware-based key management. * Introduced new CLI and environment flags to enable TPM-backed client certificates for Linux packages and Orbit. * Added a local HTTPS proxy that automatically signs requests using the TPM-backed key. * Bug Fixes * Improved cleanup and restart behavior when authentication fails with a host identity certificate. * Tests * Added comprehensive tests for SCEP client functionality and TPM integration. * Chores * Updated scripts and documentation to support TPM-backed client certificate packaging and configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-18 14:31:52 +00:00			`func Signer(metaKeyID string, signer crypto.Signer, signingAlgorithm httpsig.Algorithm) (*httpsig.Signer, error) {`
Updated httpsig-go library to 1.2.0 and removed vendored version. (#32426) Fixes #32393 httpsig-go library has encorporated the changes needed to support TPM, so we are removing our local version of this library. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) 2025-08-28 19:28:30 +00:00			`signingKey := httpsig.SigningKey{`
			`MetaKeyID: metaKeyID,`
			`}`
			`if _, ok := signer.(*ecdsa.PrivateKey); ok {`
			`signingKey.Key = signer`
			`} else {`
			`// TPM or other hardware-backed signer`
			`signingKey.Opts = httpsig.SigningKeyOpts{`
			`Signer: signer,`
			`}`
			`}`
fleetd generate TPM key and issue SCEP certificate (#30932) #30461 This PR contains the changes for the happy path. On a separate PR we will be adding tests and further fixes for edge cases. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Added/updated automated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added support for using a TPM-backed key and SCEP-issued certificate to sign HTTP requests, enhancing security through hardware-based key management. * Introduced new CLI and environment flags to enable TPM-backed client certificates for Linux packages and Orbit. * Added a local HTTPS proxy that automatically signs requests using the TPM-backed key. * Bug Fixes * Improved cleanup and restart behavior when authentication fails with a host identity certificate. * Tests * Added comprehensive tests for SCEP client functionality and TPM integration. * Chores * Updated scripts and documentation to support TPM-backed client certificate packaging and configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-18 14:31:52 +00:00			`return httpsig.NewSigner(httpsig.SigningProfile{`
			`Algorithm: signingAlgorithm,`
			`Fields: requiredFields,`
			`Metadata: requiredMetadata,`
Updated httpsig-go library to 1.2.0 and removed vendored version. (#32426) Fixes #32393 httpsig-go library has encorporated the changes needed to support TPM, so we are removing our local version of this library. # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. ## Testing - [x] QA'd all new/changed functionality manually ## fleetd/orbit/Fleet Desktop - [x] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) 2025-08-28 19:28:30 +00:00			`}, signingKey)`
fleetd generate TPM key and issue SCEP certificate (#30932) #30461 This PR contains the changes for the happy path. On a separate PR we will be adding tests and further fixes for edge cases. - [X] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [ ] Added/updated automated tests - [x] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Make sure fleetd is compatible with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)). - [ ] Orbit runs on macOS, Linux and Windows. Check if the orbit feature/bugfix should only apply to one platform (`runtime.GOOS`). - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * New Features * Added support for using a TPM-backed key and SCEP-issued certificate to sign HTTP requests, enhancing security through hardware-based key management. * Introduced new CLI and environment flags to enable TPM-backed client certificates for Linux packages and Orbit. * Added a local HTTPS proxy that automatically signs requests using the TPM-backed key. * Bug Fixes * Improved cleanup and restart behavior when authentication fails with a host identity certificate. * Tests * Added comprehensive tests for SCEP client functionality and TPM integration. * Chores * Updated scripts and documentation to support TPM-backed client certificate packaging and configuration. <!-- end of auto-generated comment: release notes by coderabbit.ai --> 2025-07-18 14:31:52 +00:00			`}`