review: add bring your own key logic

Author: archandatta

cmd/extensions.go

@@ -424,19 +424,41 @@ var extensionsUploadCmd = &cobra.Command{
 }
 
 var extensionsPrepareWebBotAuthCmd = &cobra.Command{
-	Use:   "prepare-web-bot-auth",
-	Short: "Prepare the Cloudflare web-bot-auth extension for Kernel",
+	Use:   "build-web-bot-auth",
+	Short: "Build the Cloudflare web-bot-auth extension for Kernel",
 	Long: `Download, build, and prepare the Cloudflare web-bot-auth extension with Kernel-specific configurations.
-					This creates a directory ready to upload to Kernel.
-					The extension will be configured to use the kernel-images server to host update.xml and the extension.crx file.`,
+					Defaults to RFC9421 test key (works with Cloudflare's test site).
+					Optionally accepts a custom Ed25519 JWK key file and can upload directly to Kernel.`,
 	Args: cobra.NoArgs,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		output, _ := cmd.Flags().GetString("output")
+		output, _ := cmd.Flags().GetString("to")
 		url, _ := cmd.Flags().GetString("url")
-		return extensions.PrepareWebBotAuth(cmd.Context(), extensions.ExtensionsPrepareWebBotAuthInput{
+		keyPath, _ := cmd.Flags().GetString("key")
+		shouldUpload, _ := cmd.Flags().GetBool("upload")
+
+		// Build the extension
+		result, err := extensions.BuildWebBotAuth(cmd.Context(), extensions.ExtensionsBuildWebBotAuthInput{
 			Output:  output,
 			HostURL: url,
+			KeyPath: keyPath,
 		})
+		if err != nil {
+			return err
+		}
+
+		// Upload if requested
+		if shouldUpload {
+			client := getKernelClient(cmd)
+			svc := client.Extensions
+			e := ExtensionsCmd{extensions: &svc}
+			pterm.Info.Println("Uploading extension to Kernel...")
+			return e.Upload(cmd.Context(), ExtensionsUploadInput{
+				Dir:  result.OutputDir,
+				Name: result.ExtensionID,
+			})
+		}
+
+		return nil
 	},
 }
 
@@ -455,6 +477,8 @@ func init() {
 	extensionsDownloadWebStoreCmd.Flags().String("os", "", "Target OS: mac, win, or linux (default linux)")
 	extensionsUploadCmd.Flags().StringP("output", "o", "", "Output format: json for raw API response")
 	extensionsUploadCmd.Flags().String("name", "", "Optional unique extension name")
-	extensionsPrepareWebBotAuthCmd.Flags().String("output", "./web-bot-auth", "Output directory for the prepared extension")
+	extensionsPrepareWebBotAuthCmd.Flags().String("to", "./web-bot-auth", "Output directory for the prepared extension")
 	extensionsPrepareWebBotAuthCmd.Flags().String("url", "http://127.0.0.1:10001", "Base URL for update.xml and policy templates")
+	extensionsPrepareWebBotAuthCmd.Flags().String("key", "", "Path to custom Ed25519 JWK key file (defaults to RFC9421 test key)")
+	extensionsPrepareWebBotAuthCmd.Flags().Bool("upload", false, "Upload extension to Kernel after building")
 }

pkg/extensions/webbotauth.go

@@ -23,61 +23,91 @@ const (
 	defaultFileMode       = 0644
 	webBotAuthDownloadURL = "https://github.com/cloudflare/web-bot-auth/archive/refs/heads/main.zip"
 	downloadTimeout       = 5 * time.Minute
+	// defaultWebBotAuthKey is the RFC9421 test key that works with Cloudflare's test site
+	// https://developers.cloudflare.com/bots/reference/bot-verification/web-bot-auth/
+	defaultWebBotAuthKey = `{"kty":"OKP","crv":"Ed25519","d":"n4Ni-HpISpVObnQMW0wOhCKROaIKqKtW_2ZYb2p9KcU","x":"JrQLj5P_89iXES9-vFgrIy29clF9CC_oPPsw3c5D0bs"}`
 )
 
-type ExtensionsPrepareWebBotAuthInput struct {
+type ExtensionsBuildWebBotAuthInput struct {
 	Output  string
 	HostURL string
+	KeyPath string // Path to user's JWK file (optional, defaults to RFC9421 test key)
 }
 
-func PrepareWebBotAuth(ctx context.Context, in ExtensionsPrepareWebBotAuthInput) error {
+// BuildWebBotAuthOutput contains the result of building the extension
+type BuildWebBotAuthOutput struct {
+	ExtensionID string
+	OutputDir   string
+}
+
+func BuildWebBotAuth(ctx context.Context, in ExtensionsBuildWebBotAuthInput) (*BuildWebBotAuthOutput, error) {
 	pterm.Info.Println("Preparing web-bot-auth extension...")
 
 	// Validate preconditions
 	if err := validateToolDependencies(); err != nil {
-		return err
+		return nil, err
 	}
 
 	outputDir, err := filepath.Abs(in.Output)
 	if err != nil {
-		return fmt.Errorf("failed to resolve output path: %w", err)
+		return nil, fmt.Errorf("failed to resolve output path: %w", err)
 	}
 	if st, err := os.Stat(outputDir); err == nil {
 		if !st.IsDir() {
-			return fmt.Errorf("output path exists and is not a directory: %s", outputDir)
+			return nil, fmt.Errorf("output path exists and is not a directory: %s", outputDir)
 		}
 		entries, _ := os.ReadDir(outputDir)
 		if len(entries) > 0 {
-			return fmt.Errorf("output directory must be empty: %s", outputDir)
+			return nil, fmt.Errorf("output directory must be empty: %s", outputDir)
 		}
 	} else {
 		if err := os.MkdirAll(outputDir, defaultDirMode); err != nil {
-			return fmt.Errorf("failed to create output directory: %w", err)
+			return nil, fmt.Errorf("failed to create output directory: %w", err)
 		}
 	}
 
 	// Download and extract
 	browserExtDir, cleanup, err := downloadAndExtractWebBotAuth(ctx)
 	defer cleanup()
 	if err != nil {
-		return err
+		return nil, err
+	}
+
+	// Load key (custom or default)
+	var jwkData string
+	var usingDefaultKey bool
+	if in.KeyPath != "" {
+		pterm.Info.Printf("Loading custom JWK from %s...\n", in.KeyPath)
+		keyBytes, err := os.ReadFile(in.KeyPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read key file: %w", err)
+		}
+		jwkData = string(keyBytes)
+		usingDefaultKey = false
+	} else {
+		pterm.Info.Println("Using default RFC9421 test key (works with Cloudflare test site)...")
+		jwkData = defaultWebBotAuthKey
+		usingDefaultKey = true
 	}
 
 	// Build extension
-	extensionID, err := buildWebBotAuthExtension(ctx, browserExtDir, in.HostURL)
+	extensionID, err := buildWebBotAuthExtension(ctx, browserExtDir, in.HostURL, jwkData)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	// Copy artifacts
 	if err := copyExtensionArtifacts(browserExtDir, outputDir); err != nil {
-		return err
+		return nil, err
 	}
 
 	// Display success message
-	displayWebBotAuthSuccess(outputDir, extensionID, in.HostURL)
+	displayWebBotAuthSuccess(outputDir, extensionID, in.HostURL, usingDefaultKey)
 
-	return nil
+	return &BuildWebBotAuthOutput{
+		ExtensionID: extensionID,
+		OutputDir:   outputDir,
+	}, nil
 }
 
 // extractExtensionID extracts the extension ID from npm bundle output
@@ -90,6 +120,7 @@ func extractExtensionID(output string) string {
 	return ""
 }
 
+
 // validateToolDependencies checks for required tools (node and npm)
 func validateToolDependencies() error {
 	if _, err := exec.LookPath("node"); err != nil {
@@ -179,10 +210,23 @@ func downloadAndExtractWebBotAuth(ctx context.Context) (browserExtDir string, cl
 }
 
 // buildWebBotAuthExtension modifies templates, builds the extension, and returns the extension ID
-func buildWebBotAuthExtension(ctx context.Context, browserExtDir, hostURL string) (string, error) {
+func buildWebBotAuthExtension(ctx context.Context, browserExtDir, hostURL, jwkData string) (string, error) {
 	// Normalize hostURL by removing trailing slashes to prevent double slashes in URLs
 	hostURL = strings.TrimRight(hostURL, "/")
 
+	// Convert JWK to PEM and write to browserExtDir before building
+	pterm.Info.Println("Converting JWK to PEM format...")
+	pemData, err := util.JWKToPEM(jwkData)
+	if err != nil {
+		return "", fmt.Errorf("failed to convert JWK to PEM: %w", err)
+	}
+
+	privateKeyPath := filepath.Join(browserExtDir, "private_key.pem")
+	if err := os.WriteFile(privateKeyPath, pemData, 0600); err != nil {
+		return "", fmt.Errorf("failed to write private key: %w", err)
+	}
+	pterm.Success.Println("Private key written successfully")
+
 	// Modify template files
 	pterm.Info.Println("Modifying templates with host URL...")
 
@@ -337,27 +381,53 @@ func copyExtensionArtifacts(browserExtDir, outputDir string) error {
 		pterm.Warning.Println("No private_key.pem found - extension ID may change on rebuild")
 	}
 
+	// Copy policy directory (contains Chrome enterprise policy configuration)
+	policySrc := filepath.Join(browserExtDir, "policy")
+	policyDst := filepath.Join(outputDir, "policy")
+	if _, err := os.Stat(policySrc); err == nil {
+		if err := util.CopyDir(policySrc, policyDst); err != nil {
+			return fmt.Errorf("failed to copy policy directory: %w", err)
+		}
+		pterm.Info.Println("Policy files copied (required for Chrome configuration)")
+	}
+
 	return nil
 }
 
 // displayWebBotAuthSuccess displays success message and next steps
-func displayWebBotAuthSuccess(outputDir, extensionID, hostURL string) {
+func displayWebBotAuthSuccess(outputDir, extensionID, hostURL string, usingDefaultKey bool) {
 	pterm.Success.Println("Web-bot-auth extension prepared successfully!")
 	pterm.Println()
 
 	rows := pterm.TableData{{"Property", "Value"}}
 	rows = append(rows, []string{"Extension ID", extensionID})
 	rows = append(rows, []string{"Output directory", outputDir})
 	rows = append(rows, []string{"Host URL", hostURL})
+	if usingDefaultKey {
+		rows = append(rows, []string{"Signing Key", "RFC9421 test key (Cloudflare test site)"})
+	} else {
+		rows = append(rows, []string{"Signing Key", "Custom JWK"})
+	}
 	table.PrintTableNoPad(rows, true)
 
 	pterm.Println()
 	pterm.Info.Println("Next steps:")
 	pterm.Printf("1. Upload using the extension ID as the name:\n")
 	pterm.Printf("   kernel extensions upload %s --name %s\n\n", outputDir, extensionID)
-	pterm.Printf("2. Use in your browser, or upload to a session:\n")
-	pterm.Printf("   kernel browsers create --extension %s\n", extensionID)
-	pterm.Printf("   or run kernel browsers extensions upload <session-id> %s\n\n", outputDir)
-	pterm.Warning.Println("⚠️  Private key saved to private_key.pem - keep it secure!")
-	pterm.Info.Println("   It's automatically excluded when uploading via .gitignore")
+	pterm.Printf("2. Use in your browser:\n")
+	pterm.Printf("   kernel browsers create --extension %s\n\n", extensionID)
+
+	pterm.Println()
+	pterm.Info.Println("   For testing with Cloudflare's test site:")
+	pterm.Printf("   • Test URL: https://http-message-signatures-example.research.cloudflare.com\n")
+	pterm.Printf("   • Or: https://webbotauth.io/test\n")
+	pterm.Println()
+
+	if usingDefaultKey {
+		pterm.Info.Println("Using default RFC9421 test key - compatible with Cloudflare test sites")
+	} else {
+		pterm.Warning.Println("⚠️  Private key saved to private_key.pem - keep it secure!")
+		pterm.Info.Println("   It's automatically excluded when uploading via .gitignore")
+	}
+
 }

pkg/util/crypto.go

@@ -0,0 +1,103 @@
+package util
+
+import (
+	"crypto/ed25519"
+	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
+	"fmt"
+)
+
+// jwkKey represents an Ed25519 JWK key
+type jwkKey struct {
+	Kty string `json:"kty"` // Key type (should be "OKP")
+	Crv string `json:"crv"` // Curve (should be "Ed25519")
+	D   string `json:"d"`   // Private key (base64url encoded)
+	X   string `json:"x"`   // Public key (base64url encoded)
+}
+
+// JWKToPEM converts an Ed25519 JWK to PEM format (PKCS#8)
+// If the input is already in PEM format, it validates and returns it as-is
+func JWKToPEM(jwkJSON string) ([]byte, error) {
+	// Check if input is already PEM-encoded
+	if block, _ := pem.Decode([]byte(jwkJSON)); block != nil {
+		if block.Type != "PRIVATE KEY" {
+			return nil, fmt.Errorf("invalid PEM type: expected PRIVATE KEY, got %s", block.Type)
+		}
+		// TODO: Could add validation that it's actually an Ed25519 key
+		return []byte(jwkJSON), nil
+	}
+
+	// Parse as JWK
+	var key jwkKey
+	if err := json.Unmarshal([]byte(jwkJSON), &key); err != nil {
+		return nil, fmt.Errorf("failed to parse as JWK or PEM: %w", err)
+	}
+
+	if key.Kty != "OKP" || key.Crv != "Ed25519" {
+		return nil, fmt.Errorf("invalid key type: expected OKP/Ed25519, got %s/%s", key.Kty, key.Crv)
+	}
+
+	// Decode private key from base64url
+	privateKeyBytes, err := base64.RawURLEncoding.DecodeString(key.D)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode private key: %w", err)
+	}
+
+	if len(privateKeyBytes) != ed25519.SeedSize {
+		return nil, fmt.Errorf("invalid private key size: expected %d bytes, got %d", ed25519.SeedSize, len(privateKeyBytes))
+	}
+
+	// Generate Ed25519 private key from seed
+	privateKey := ed25519.NewKeyFromSeed(privateKeyBytes)
+
+	// Create PKCS#8 structure
+	pkcs8Bytes, err := MarshalPKCS8PrivateKey(privateKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal PKCS#8: %w", err)
+	}
+
+	// Encode to PEM
+	pemBlock := &pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: pkcs8Bytes,
+	}
+
+	return pem.EncodeToMemory(pemBlock), nil
+}
+
+// MarshalPKCS8PrivateKey creates a PKCS#8 structure for Ed25519 private key
+func MarshalPKCS8PrivateKey(key ed25519.PrivateKey) ([]byte, error) {
+	// PKCS#8 structure for Ed25519:
+	// SEQUENCE {
+	//   INTEGER 0 (version)
+	//   SEQUENCE {
+	//     OBJECT IDENTIFIER 1.3.101.112 (Ed25519)
+	//   }
+	//   OCTET STRING (containing the 32-byte seed as OCTET STRING)
+	// }
+
+	// Ed25519 OID: 1.3.101.112
+	oid := []byte{0x06, 0x03, 0x2b, 0x65, 0x70}
+
+	// Extract seed (first 32 bytes of private key)
+	seed := key.Seed()
+
+	// Inner OCTET STRING (seed)
+	innerOctetString := append([]byte{0x04, byte(len(seed))}, seed...)
+
+	// Algorithm identifier SEQUENCE
+	algSeq := append([]byte{0x30, byte(len(oid))}, oid...)
+
+	// Version (INTEGER 0)
+	version := []byte{0x02, 0x01, 0x00}
+
+	// Combine all parts
+	content := append(version, algSeq...)
+	content = append(content, innerOctetString...)
+
+	// Outer SEQUENCE
+	result := append([]byte{0x30, byte(len(content))}, content...)
+
+	return result, nil
+}