truthound 1.0.8__py3-none-any.whl

truthound/plugins/security/signing/service.py

@@ -0,0 +1,330 @@
+"""Plugin signing service implementation.
+
+This module provides the SigningServiceImpl that can sign plugins
+using various cryptographic algorithms.
+"""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import hmac
+import json
+import logging
+from datetime import datetime, timedelta, timezone
+from enum import Enum, auto
+from pathlib import Path
+from typing import Any
+
+from truthound.plugins.security.protocols import SignatureInfo, VerificationResult, TrustLevel
+from truthound.plugins.security.exceptions import SignatureError, InvalidSignatureError
+
+logger = logging.getLogger(__name__)
+
+
+class SignatureAlgorithm(Enum):
+    """Supported signature algorithms."""
+
+    SHA256 = auto()       # Simple SHA256 hash (not recommended for production)
+    SHA512 = auto()       # SHA512 hash
+    HMAC_SHA256 = auto()  # HMAC with SHA256
+    HMAC_SHA512 = auto()  # HMAC with SHA512
+    RSA_SHA256 = auto()   # RSA with SHA256 (requires cryptography)
+    ED25519 = auto()      # Ed25519 (requires cryptography)
+
+
+class SigningServiceImpl:
+    """Implementation of plugin signing service.
+
+    Supports multiple signature algorithms from simple hashing to
+    cryptographic signatures.
+
+    Example:
+        >>> service = SigningServiceImpl(algorithm=SignatureAlgorithm.HMAC_SHA256)
+        >>> signature = service.sign(
+        ...     plugin_path=Path("my_plugin"),
+        ...     private_key=b"secret_key",
+        ... )
+    """
+
+    def __init__(
+        self,
+        algorithm: SignatureAlgorithm = SignatureAlgorithm.SHA256,
+        signer_id: str = "truthound",
+        validity_days: int = 365,
+    ) -> None:
+        """Initialize signing service.
+
+        Args:
+            algorithm: Signature algorithm to use
+            signer_id: Identifier for this signer
+            validity_days: How long signatures are valid
+        """
+        self.algorithm = algorithm
+        self.signer_id = signer_id
+        self.validity_days = validity_days
+
+    def sign(
+        self,
+        plugin_path: Path,
+        private_key: bytes,
+        certificate: bytes | None = None,
+        metadata: dict[str, Any] | None = None,
+    ) -> SignatureInfo:
+        """Sign a plugin.
+
+        Args:
+            plugin_path: Path to plugin file or directory
+            private_key: Private key or secret for signing
+            certificate: Optional X.509 certificate
+            metadata: Additional metadata
+
+        Returns:
+            SignatureInfo with signature details
+
+        Raises:
+            SignatureError: If signing fails
+        """
+        # Get plugin hash
+        content_hash = self.get_plugin_hash(plugin_path)
+
+        # Build data to sign
+        timestamp = datetime.now(timezone.utc)
+        expires_at = timestamp + timedelta(days=self.validity_days)
+
+        sign_data = {
+            "plugin_hash": content_hash,
+            "signer_id": self.signer_id,
+            "algorithm": self.algorithm.name,
+            "timestamp": timestamp.isoformat(),
+            "expires_at": expires_at.isoformat(),
+        }
+
+        # Create signature
+        data_bytes = json.dumps(sign_data, sort_keys=True).encode()
+        signature = self._create_signature(data_bytes, private_key)
+
+        return SignatureInfo(
+            signer_id=self.signer_id,
+            algorithm=self.algorithm.name,
+            signature=signature,
+            timestamp=timestamp,
+            expires_at=expires_at,
+            certificate_chain=(certificate,) if certificate else (),
+            metadata={
+                "plugin_hash": content_hash,
+                **(metadata or {}),
+            },
+        )
+
+    def verify(
+        self,
+        plugin_path: Path,
+        signature: SignatureInfo,
+    ) -> VerificationResult:
+        """Verify a plugin signature.
+
+        Args:
+            plugin_path: Path to plugin
+            signature: Signature to verify
+
+        Returns:
+            VerificationResult with verification status
+        """
+        errors: list[str] = []
+        warnings: list[str] = []
+
+        # Check expiration
+        if signature.is_expired():
+            errors.append(f"Signature expired at {signature.expires_at}")
+            return VerificationResult.failure(*errors)
+
+        # Check hash
+        current_hash = self.get_plugin_hash(plugin_path)
+        stored_hash = signature.metadata.get("plugin_hash", "")
+
+        if current_hash != stored_hash:
+            errors.append("Plugin content has been modified")
+            return VerificationResult.failure(*errors)
+
+        # Verify signature age warning
+        if signature.age_days > 180:
+            warnings.append(f"Signature is {signature.age_days} days old")
+
+        return VerificationResult.success(
+            signer_id=signature.signer_id,
+            trust_level=TrustLevel.VERIFIED,
+            warnings=tuple(warnings),
+        )
+
+    def get_plugin_hash(self, plugin_path: Path) -> str:
+        """Get hash of plugin content.
+
+        Args:
+            plugin_path: Path to plugin file or directory
+
+        Returns:
+            Hex-encoded SHA256 hash
+        """
+        hasher = hashlib.sha256()
+
+        if plugin_path.is_file():
+            # Hash single file
+            with open(plugin_path, "rb") as f:
+                for chunk in iter(lambda: f.read(8192), b""):
+                    hasher.update(chunk)
+        elif plugin_path.is_dir():
+            # Hash all Python files in directory
+            for py_file in sorted(plugin_path.rglob("*.py")):
+                # Add relative path to hash for file identity
+                rel_path = py_file.relative_to(plugin_path)
+                hasher.update(str(rel_path).encode())
+                with open(py_file, "rb") as f:
+                    for chunk in iter(lambda: f.read(8192), b""):
+                        hasher.update(chunk)
+        else:
+            raise SignatureError(f"Plugin path does not exist: {plugin_path}")
+
+        return hasher.hexdigest()
+
+    def _create_signature(
+        self,
+        data: bytes,
+        private_key: bytes,
+    ) -> bytes:
+        """Create cryptographic signature.
+
+        Args:
+            data: Data to sign
+            private_key: Private key or secret
+
+        Returns:
+            Signature bytes
+        """
+        if self.algorithm == SignatureAlgorithm.SHA256:
+            return hashlib.sha256(data).digest()
+
+        elif self.algorithm == SignatureAlgorithm.SHA512:
+            return hashlib.sha512(data).digest()
+
+        elif self.algorithm == SignatureAlgorithm.HMAC_SHA256:
+            return hmac.new(private_key, data, hashlib.sha256).digest()
+
+        elif self.algorithm == SignatureAlgorithm.HMAC_SHA512:
+            return hmac.new(private_key, data, hashlib.sha512).digest()
+
+        elif self.algorithm == SignatureAlgorithm.RSA_SHA256:
+            return self._sign_rsa(data, private_key)
+
+        elif self.algorithm == SignatureAlgorithm.ED25519:
+            return self._sign_ed25519(data, private_key)
+
+        else:
+            raise SignatureError(f"Unsupported algorithm: {self.algorithm}")
+
+    def _sign_rsa(self, data: bytes, private_key: bytes) -> bytes:
+        """Sign data using RSA."""
+        try:
+            from cryptography.hazmat.primitives import hashes, serialization
+            from cryptography.hazmat.primitives.asymmetric import padding
+
+            key = serialization.load_pem_private_key(private_key, password=None)
+            signature = key.sign(
+                data,
+                padding.PKCS1v15(),
+                hashes.SHA256(),
+            )
+            return signature
+        except ImportError:
+            raise SignatureError(
+                "RSA signing requires cryptography package. "
+                "Install with: pip install cryptography"
+            )
+
+    def _sign_ed25519(self, data: bytes, private_key: bytes) -> bytes:
+        """Sign data using Ed25519."""
+        try:
+            from cryptography.hazmat.primitives import serialization
+            from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
+
+            key = serialization.load_pem_private_key(private_key, password=None)
+            if not isinstance(key, Ed25519PrivateKey):
+                raise SignatureError("Key is not an Ed25519 private key")
+            return key.sign(data)
+        except ImportError:
+            raise SignatureError(
+                "Ed25519 signing requires cryptography package. "
+                "Install with: pip install cryptography"
+            )
+
+    def verify_signature(
+        self,
+        data: bytes,
+        signature: bytes,
+        public_key: bytes | None = None,
+        secret: bytes | None = None,
+    ) -> bool:
+        """Verify a signature against data.
+
+        Args:
+            data: Data that was signed
+            signature: Signature to verify
+            public_key: Public key for asymmetric algorithms
+            secret: Secret for HMAC algorithms
+
+        Returns:
+            True if signature is valid
+        """
+        if self.algorithm in (SignatureAlgorithm.SHA256, SignatureAlgorithm.SHA512):
+            # Hash-based (not real signatures, just for integrity)
+            expected = self._create_signature(data, b"")
+            return hmac.compare_digest(expected, signature)
+
+        elif self.algorithm in (SignatureAlgorithm.HMAC_SHA256, SignatureAlgorithm.HMAC_SHA512):
+            if not secret:
+                return False
+            expected = self._create_signature(data, secret)
+            return hmac.compare_digest(expected, signature)
+
+        elif self.algorithm == SignatureAlgorithm.RSA_SHA256:
+            if not public_key:
+                return False
+            return self._verify_rsa(data, signature, public_key)
+
+        elif self.algorithm == SignatureAlgorithm.ED25519:
+            if not public_key:
+                return False
+            return self._verify_ed25519(data, signature, public_key)
+
+        return False
+
+    def _verify_rsa(self, data: bytes, signature: bytes, public_key: bytes) -> bool:
+        """Verify RSA signature."""
+        try:
+            from cryptography.hazmat.primitives import hashes, serialization
+            from cryptography.hazmat.primitives.asymmetric import padding
+            from cryptography.exceptions import InvalidSignature
+
+            key = serialization.load_pem_public_key(public_key)
+            try:
+                key.verify(signature, data, padding.PKCS1v15(), hashes.SHA256())
+                return True
+            except InvalidSignature:
+                return False
+        except ImportError:
+            return False
+
+    def _verify_ed25519(self, data: bytes, signature: bytes, public_key: bytes) -> bool:
+        """Verify Ed25519 signature."""
+        try:
+            from cryptography.hazmat.primitives import serialization
+            from cryptography.exceptions import InvalidSignature
+
+            key = serialization.load_pem_public_key(public_key)
+            try:
+                key.verify(signature, data)
+                return True
+            except InvalidSignature:
+                return False
+        except ImportError:
+            return False

truthound/plugins/security/signing/trust_store.py

@@ -0,0 +1,368 @@
+"""Trust store for managing trusted certificates and signers.
+
+This module provides a TrustStore implementation for managing
+which signers and certificates are trusted.
+"""
+
+from __future__ import annotations
+
+import hashlib
+import json
+import logging
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Any
+
+from truthound.plugins.security.protocols import TrustLevel
+from truthound.plugins.security.exceptions import (
+    CertificateError,
+    CertificateNotFoundError,
+    CertificateRevokedError,
+)
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class CertificateEntry:
+    """Entry in the trust store."""
+
+    cert_id: str
+    certificate: bytes
+    trust_level: TrustLevel
+    added_at: datetime = field(default_factory=lambda: datetime.now(timezone.utc))
+    expires_at: datetime | None = None
+    revoked_at: datetime | None = None
+    revocation_reason: str = ""
+    metadata: dict[str, Any] = field(default_factory=dict)
+
+    @property
+    def is_revoked(self) -> bool:
+        """Check if certificate is revoked."""
+        return self.revoked_at is not None
+
+    @property
+    def is_expired(self) -> bool:
+        """Check if certificate is expired."""
+        if self.expires_at is None:
+            return False
+        return datetime.now(timezone.utc) > self.expires_at
+
+    @property
+    def is_valid(self) -> bool:
+        """Check if certificate is valid (not revoked and not expired)."""
+        return not self.is_revoked and not self.is_expired
+
+    def to_dict(self) -> dict[str, Any]:
+        """Convert to dictionary."""
+        return {
+            "cert_id": self.cert_id,
+            "trust_level": self.trust_level.value,
+            "added_at": self.added_at.isoformat(),
+            "expires_at": self.expires_at.isoformat() if self.expires_at else None,
+            "revoked_at": self.revoked_at.isoformat() if self.revoked_at else None,
+            "revocation_reason": self.revocation_reason,
+            "metadata": self.metadata,
+        }
+
+
+class TrustStoreImpl:
+    """Implementation of trust store for certificates and signers.
+
+    Manages a collection of trusted certificates with different
+    trust levels. Supports persistence to JSON file.
+
+    Example:
+        >>> store = TrustStoreImpl()
+        >>> cert_id = store.add_trusted_certificate(cert_bytes)
+        >>> is_trusted, level = store.is_trusted(cert_bytes)
+    """
+
+    def __init__(
+        self,
+        store_path: Path | None = None,
+        auto_save: bool = True,
+    ) -> None:
+        """Initialize trust store.
+
+        Args:
+            store_path: Path to persist store (optional)
+            auto_save: Whether to auto-save after modifications
+        """
+        self._store_path = store_path
+        self._auto_save = auto_save
+        self._certificates: dict[str, CertificateEntry] = {}
+        self._signer_trust: dict[str, TrustLevel] = {}
+
+        # Load from file if exists
+        if store_path and store_path.exists():
+            self._load()
+
+    def add_trusted_certificate(
+        self,
+        certificate: bytes,
+        trust_level: TrustLevel = TrustLevel.TRUSTED,
+        metadata: dict[str, Any] | None = None,
+    ) -> str:
+        """Add a certificate to the trust store.
+
+        Args:
+            certificate: Certificate bytes (DER or PEM)
+            trust_level: Trust level to assign
+            metadata: Additional metadata
+
+        Returns:
+            Certificate ID
+        """
+        # Generate certificate ID from hash
+        cert_id = self._compute_cert_id(certificate)
+
+        # Check if already exists
+        if cert_id in self._certificates:
+            existing = self._certificates[cert_id]
+            if existing.is_revoked:
+                raise CertificateRevokedError(
+                    f"Certificate {cert_id} was revoked",
+                    cert_id=cert_id,
+                    revoked_at=existing.revoked_at,
+                    reason=existing.revocation_reason,
+                )
+            # Update trust level if higher
+            if trust_level == TrustLevel.TRUSTED:
+                existing = CertificateEntry(
+                    cert_id=existing.cert_id,
+                    certificate=existing.certificate,
+                    trust_level=trust_level,
+                    added_at=existing.added_at,
+                    expires_at=existing.expires_at,
+                    metadata={**existing.metadata, **(metadata or {})},
+                )
+                self._certificates[cert_id] = existing
+            return cert_id
+
+        # Create new entry
+        entry = CertificateEntry(
+            cert_id=cert_id,
+            certificate=certificate,
+            trust_level=trust_level,
+            metadata=metadata or {},
+        )
+        self._certificates[cert_id] = entry
+
+        # Extract signer ID from certificate if possible
+        signer_id = self._extract_signer_id(certificate)
+        if signer_id:
+            self._signer_trust[signer_id] = trust_level
+
+        logger.info(f"Added certificate {cert_id} with trust level {trust_level.value}")
+
+        if self._auto_save:
+            self._save()
+
+        return cert_id
+
+    def remove_certificate(self, cert_id: str) -> bool:
+        """Remove a certificate from trust store.
+
+        Args:
+            cert_id: Certificate ID
+
+        Returns:
+            True if removed, False if not found
+        """
+        if cert_id not in self._certificates:
+            return False
+
+        entry = self._certificates.pop(cert_id)
+
+        # Also remove signer trust if applicable
+        signer_id = entry.metadata.get("signer_id")
+        if signer_id:
+            self._signer_trust.pop(signer_id, None)
+
+        logger.info(f"Removed certificate {cert_id}")
+
+        if self._auto_save:
+            self._save()
+
+        return True
+
+    def revoke_certificate(
+        self,
+        cert_id: str,
+        reason: str = "",
+    ) -> bool:
+        """Revoke a certificate.
+
+        Args:
+            cert_id: Certificate ID
+            reason: Revocation reason
+
+        Returns:
+            True if revoked, False if not found
+        """
+        if cert_id not in self._certificates:
+            return False
+
+        entry = self._certificates[cert_id]
+        self._certificates[cert_id] = CertificateEntry(
+            cert_id=entry.cert_id,
+            certificate=entry.certificate,
+            trust_level=TrustLevel.REVOKED,
+            added_at=entry.added_at,
+            expires_at=entry.expires_at,
+            revoked_at=datetime.now(timezone.utc),
+            revocation_reason=reason,
+            metadata=entry.metadata,
+        )
+
+        # Also revoke signer trust
+        signer_id = entry.metadata.get("signer_id")
+        if signer_id:
+            self._signer_trust[signer_id] = TrustLevel.REVOKED
+
+        logger.info(f"Revoked certificate {cert_id}: {reason}")
+
+        if self._auto_save:
+            self._save()
+
+        return True
+
+    def is_trusted(self, certificate: bytes) -> tuple[bool, TrustLevel]:
+        """Check if certificate is trusted.
+
+        Args:
+            certificate: Certificate to check
+
+        Returns:
+            Tuple of (is_trusted, trust_level)
+        """
+        cert_id = self._compute_cert_id(certificate)
+
+        if cert_id not in self._certificates:
+            return False, TrustLevel.UNKNOWN
+
+        entry = self._certificates[cert_id]
+
+        if entry.is_revoked:
+            return False, TrustLevel.REVOKED
+
+        if entry.is_expired:
+            return False, TrustLevel.UNKNOWN
+
+        is_trusted = entry.trust_level in (TrustLevel.TRUSTED, TrustLevel.VERIFIED)
+        return is_trusted, entry.trust_level
+
+    def get_trust_level(self, signer_id: str) -> TrustLevel:
+        """Get trust level for a signer.
+
+        Args:
+            signer_id: Signer identifier
+
+        Returns:
+            Trust level of the signer
+        """
+        return self._signer_trust.get(signer_id, TrustLevel.UNKNOWN)
+
+    def set_signer_trust(
+        self,
+        signer_id: str,
+        trust_level: TrustLevel,
+    ) -> None:
+        """Set trust level for a signer.
+
+        Args:
+            signer_id: Signer identifier
+            trust_level: Trust level to set
+        """
+        self._signer_trust[signer_id] = trust_level
+
+        if self._auto_save:
+            self._save()
+
+    def list_certificates(self) -> list[dict[str, Any]]:
+        """List all certificates in store.
+
+        Returns:
+            List of certificate info dicts
+        """
+        return [entry.to_dict() for entry in self._certificates.values()]
+
+    def list_trusted_signers(self) -> list[str]:
+        """List all trusted signer IDs.
+
+        Returns:
+            List of trusted signer IDs
+        """
+        return [
+            signer_id
+            for signer_id, level in self._signer_trust.items()
+            if level == TrustLevel.TRUSTED
+        ]
+
+    def _compute_cert_id(self, certificate: bytes) -> str:
+        """Compute certificate ID from content hash."""
+        return hashlib.sha256(certificate).hexdigest()[:16]
+
+    def _extract_signer_id(self, certificate: bytes) -> str | None:
+        """Try to extract signer ID from certificate."""
+        try:
+            from cryptography import x509
+
+            cert = x509.load_pem_x509_certificate(certificate)
+            # Use subject common name as signer ID
+            for attr in cert.subject:
+                if attr.oid == x509.oid.NameOID.COMMON_NAME:
+                    return attr.value
+        except Exception:
+            pass
+        return None
+
+    def _save(self) -> None:
+        """Save trust store to file."""
+        if not self._store_path:
+            return
+
+        data = {
+            "certificates": {
+                cert_id: entry.to_dict()
+                for cert_id, entry in self._certificates.items()
+            },
+            "signer_trust": {
+                signer_id: level.value
+                for signer_id, level in self._signer_trust.items()
+            },
+        }
+
+        self._store_path.parent.mkdir(parents=True, exist_ok=True)
+        with open(self._store_path, "w") as f:
+            json.dump(data, f, indent=2)
+
+    def _load(self) -> None:
+        """Load trust store from file."""
+        if not self._store_path or not self._store_path.exists():
+            return
+
+        try:
+            with open(self._store_path, "r") as f:
+                data = json.load(f)
+
+            # Load signer trust
+            for signer_id, level_str in data.get("signer_trust", {}).items():
+                self._signer_trust[signer_id] = TrustLevel(level_str)
+
+            # Note: Certificate bytes are not stored in JSON, only metadata
+            # Certificates must be re-added after loading
+
+            logger.info(f"Loaded trust store from {self._store_path}")
+        except Exception as e:
+            logger.error(f"Failed to load trust store: {e}")
+
+    def clear(self) -> None:
+        """Clear all certificates and trust levels."""
+        self._certificates.clear()
+        self._signer_trust.clear()
+
+        if self._auto_save and self._store_path:
+            self._save()