Borealis-Github-Replica/Data/Server/Modules/crypto/signing.py

"""
Code-signing helpers for delivering scripts to agents.
"""

from __future__ import annotations

from pathlib import Path
from typing import Tuple

from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ed25519

from Modules.runtime import (
    ensure_server_certificates_dir,
    server_certificates_path,
    runtime_path,
)

from .keys import base64_from_spki_der

_KEY_DIR = server_certificates_path("Code-Signing")
_SIGNING_KEY_FILE = _KEY_DIR / "borealis-script-ed25519.key"
_SIGNING_PUB_FILE = _KEY_DIR / "borealis-script-ed25519.pub"
_LEGACY_KEY_FILE = runtime_path("keys") / "borealis-script-ed25519.key"
_LEGACY_PUB_FILE = runtime_path("keys") / "borealis-script-ed25519.pub"
_OLD_RUNTIME_KEY_DIR = runtime_path("script_signing_keys")
_OLD_RUNTIME_KEY_FILE = _OLD_RUNTIME_KEY_DIR / "borealis-script-ed25519.key"
_OLD_RUNTIME_PUB_FILE = _OLD_RUNTIME_KEY_DIR / "borealis-script-ed25519.pub"


class ScriptSigner:
    def __init__(self, private_key: ed25519.Ed25519PrivateKey):
        self._private = private_key
        self._public = private_key.public_key()

    def sign(self, payload: bytes) -> bytes:
        return self._private.sign(payload)

    def public_spki_der(self) -> bytes:
        return self._public.public_bytes(
            encoding=serialization.Encoding.DER,
            format=serialization.PublicFormat.SubjectPublicKeyInfo,
        )

    def public_base64_spki(self) -> str:
        return base64_from_spki_der(self.public_spki_der())


def load_signer() -> ScriptSigner:
    private_key = _load_or_create()
    return ScriptSigner(private_key)


def _load_or_create() -> ed25519.Ed25519PrivateKey:
    ensure_server_certificates_dir("Code-Signing")
    _migrate_legacy_material_if_present()

    if _SIGNING_KEY_FILE.exists():
        with _SIGNING_KEY_FILE.open("rb") as fh:
            return serialization.load_pem_private_key(fh.read(), password=None)

    if _LEGACY_KEY_FILE.exists():
        with _LEGACY_KEY_FILE.open("rb") as fh:
            return serialization.load_pem_private_key(fh.read(), password=None)

    private_key = ed25519.Ed25519PrivateKey.generate()
    pem = private_key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.PKCS8,
        encryption_algorithm=serialization.NoEncryption(),
    )
    with _SIGNING_KEY_FILE.open("wb") as fh:
        fh.write(pem)
    try:
        if hasattr(_SIGNING_KEY_FILE, "chmod"):
            _SIGNING_KEY_FILE.chmod(0o600)
    except Exception:
        pass

    pub_der = private_key.public_key().public_bytes(
        encoding=serialization.Encoding.DER,
        format=serialization.PublicFormat.SubjectPublicKeyInfo,
    )
    _SIGNING_PUB_FILE.write_bytes(pub_der)

    return private_key


def _migrate_legacy_material_if_present() -> None:
    if _SIGNING_KEY_FILE.exists():
        return

    # First migrate from legacy runtime path embedded in Server runtime.
    try:
        if _OLD_RUNTIME_KEY_FILE.exists() and not _SIGNING_KEY_FILE.exists():
            ensure_server_certificates_dir("Code-Signing")
            try:
                _OLD_RUNTIME_KEY_FILE.replace(_SIGNING_KEY_FILE)
            except Exception:
                _SIGNING_KEY_FILE.write_bytes(_OLD_RUNTIME_KEY_FILE.read_bytes())
            if _OLD_RUNTIME_PUB_FILE.exists() and not _SIGNING_PUB_FILE.exists():
                try:
                    _OLD_RUNTIME_PUB_FILE.replace(_SIGNING_PUB_FILE)
                except Exception:
                    _SIGNING_PUB_FILE.write_bytes(_OLD_RUNTIME_PUB_FILE.read_bytes())
    except Exception:
        pass

    if not _LEGACY_KEY_FILE.exists() or _SIGNING_KEY_FILE.exists():
        return

    try:
        ensure_server_certificates_dir("Code-Signing")
        try:
            _LEGACY_KEY_FILE.replace(_SIGNING_KEY_FILE)
        except Exception:
            _SIGNING_KEY_FILE.write_bytes(_LEGACY_KEY_FILE.read_bytes())

        if _LEGACY_PUB_FILE.exists() and not _SIGNING_PUB_FILE.exists():
            try:
                _LEGACY_PUB_FILE.replace(_SIGNING_PUB_FILE)
            except Exception:
                _SIGNING_PUB_FILE.write_bytes(_LEGACY_PUB_FILE.read_bytes())
    except Exception:
        return