• Stars
    star
    204
  • Rank 192,063 (Top 4 %)
  • Language
    Go
  • Created over 3 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Split and distribute your private keys securely amongst untrusted network

cocert

An experimental tool for splitting and distributing your private keys safely*

MIT GitHub release Go Report Build Status


cocert, generates ECDSA - P521 key and uses a technique known as Shamir's Secret Sharing algorithm to split the master key into x shares, any y of which are required to reconstruct the master private key. Private keys are stored in PEM-encoded PKCS8 format, which are encrypted by The Update Framework (TUF). Each private key is splitted using Shamir Split. To Combine private key files into single one, it is necessary to enter decrypt password if it has been encrypted by TUF.

*cocert does not support any Distributed Key Generation (DGK) algorithm, yet.

This repository is signed via cosign, by using cocert itself

GIF

Asciinema

High Level Architecture

Screenshot

Use-Case Example

  • What happens if your private key is exposed by either public 3rd-party cloud service provider or internal security breach?

Your private key would have compromised and supply chain attacks would inevitable. What would happen if we not trust just one key, however, distribute our key to multiple secure environments? We would avoid supply chain attacks, that said, even if one of our private keys is compromised, we still need two more keys to combine and get the final private key.

Screenshot

Installation

  • Go
$ go install github.com/Dentrax/cocert@latest
  • Docker
$ docker pull ghcr.io/dentrax/cocert

Verify

Prerequities

  1. cosign
  2. crane

Check

# 1. Download the public key
$ curl https://raw.githubusercontent.com/Dentrax/cocert/main/.github/workflows/certs/cocert.pub -o cocert.pub

# 2. Verify
$ cosign verify -key cocert.pub ghcr.io/dentrax/cocert | jq

# 3. Make sure verified commit matches the digest of the latest image 
$ crane digest ghcr.io/dentrax/cocert

Usage

Usage:
  cocert [command]

Available Commands:
  combine     Combine the cert integrity on the supplied PEM files
  decrypt     Decrypt the target private keys using TUF
  encrypt     Encrypt the target private keys using TUF
  generate    Generates TUF encrypted keys using ECDSA and splits into PKCS8-PKIX key-pairs
  help        Help about any command
  sign        Sign the given payload and create a certificate from Fulcio
  split       Split your existing private key into parts
  verify      Verify the given payload on the supplied signature

Flags:
  -h, --help   help for cocert

Use-Case Demonstration

  1. Generate
$ cocert generate --parts 3 --threshold 2

Generating TUF encrypted Shamir PEMs...
Create new password for private key:  (master)
Confirm password: (master)
Extracting PEMs to files...
Do you want to encrypt each key using TUF? (y/n) [n]: y
Create new password for cocert0.key key: (foo)
Create new password for cocert1.key key: (bar)
Create new password for cocert2.key key: (baz)

2.1. Sign with Private Key

$ cocert sign -f cocert0.key -f cocert1.key -p "Foo Bar Baz"

(Press Enter to continue without decrypt...)
Enter your password for cocert0.key: (foo)
Enter your password for cocert1.key: (bar)
Enter your master key: (master)
Signed: MIGIAkIBCisWXRLBRcv/...+3pccRjm+nUNA==

2.2. Sign with Fulcio (Keyless)

$ cocert sign -f cocert0.key -f cocert1.key  -p "Foo Bar Baz" -o my.cert

(Press Enter to continue without decrypt...)
Enter your password for cocert0.key: (foo)
Enter your password for cocert1.key: (bar)
Enter your master key: (master)
Your browser will now be opened to:
https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=CODE&code_challenge_method=S256&nonce=NONCE&redirect_uri=http%3A%2F%2Flocalhost%3A5556%2Fauth%2Fcallback&response_type=code&scope=openid+email&state=STATE
Signed: MIGIAkIBCisWXRLBRcv/...+3pccRjm+nUNA==

3.1. Verify with Public Key

$ cocert verify -f cocert.pub -p "Foo Bar Baz" -k "MIGIAkIBCisWXRLBRcv/...+3pccRjm+nUNA=="

3.2. Verify with Certificate

$ cocert verify -c my.cert -p "Foo Bar Baz" -k "MIGIAkIBCisWXRLBRcv/...+3pccRjm+nUNA=="

Bonus: Splitting

# 1. Generate the your custom private key
$ cosign generate-key-pair

Enter password for private key: (qux)
Private key written to cosign.key
Public key written to cosign.pub

# 2. Split the key
$ cocert split -f private.key --parts 3 --threshold 2

Create new password for cocert0.key key: (foo)
Create new password for cocert1.key key: (bar)
Create new password for cocert2.key key: (baz)

# 3. Test with combine
$ cocert combine -f cocert0.key -f cocert1.key -o cosign.key

Enter your password for cocert0.key: (foo)
Enter your password for cocert1.key: (bar)
Decrypting TUF encrypted PEMs...
Enter your master key: (qux)
Combined

Encrypt & Decrypt Keys

  • Encrypt
$ cocert encrypt -f cocert0.key -o "cocert0.key.encrypted"

Enter your password for : (foo2)
Confirm password: (foo2)
  • Decrypt
$ cocert decrypt -f cocert0.key.encrypted -o "cocert0.key.decrypted"
# [[ $(md5 -q cocert0.key) -eq $(md5 -q cocert0.key.decrypted) ]]

Enter your password for : (foo2)

$ cocert decrypt -f cocert0.key.decrypted -o "cocert0.key.unencrypted"
# You can pass empty password for 'cocert0.key.unencrypted' key

Enter your password for : (foo)
  • Combine
$ cocert combine -f cocert0.key.unencrypted -f cocert1.key 

Loading PEMs from files...
(Press Enter to continue without decrypt...)
Enter your password for cocert0.key.unencrypted: (PASS)
Enter your password for cocert1.key: (bar)
Decrypting TUF encrypted PEMs...
Enter your master key: (master)
Combined

Special Thanks

Package Author License
cosign sigstore Apache License 2.0
go-tuf The Update Framework BSD
Vault HashiCorp Mozilla Public License 2.0
prompter Songmu MIT
  • Thanks to everyone who contributed these libraries and others that made this project possible.

License

cocert was created by Furkan 'Dentrax' Türkal

The base project code is licensed under MIT unless otherwise specified. Please see the LICENSE file for more information.

Best Regards

More Repositories

1

GMDB

GMDB is the ultra-simple, cross-platform Movie Library with Features (Search, Take Note, Watch Later, Like, Import, Learn, Instantly Torrent Magnet Watch)
Go
234
star
2

Z00bfuscator

Z00bfuscator is the simple, open-source, cross-platform obfuscator for .NET Assemblies built on .NET Core
C#
201
star
3

kubesql

Experimental tool to query K8s API using plain SQL
Rust
185
star
4

Data-Structures-with-Go

Data Structures with Go Language
Go
139
star
5

falco-gpt

AI-generated remediations for Falco audit events
Go
69
star
6

Netlyser

Lightweight, a simple yet, Presence Detection Tool written in Rust, based on nmap, built for UNIX, made with <3
Rust
61
star
7

ArduRTOS

Real Time Operating System Lessons using Arduino and The FreeRTOS Kernel
C++
48
star
8

ProductManagementTool

Advanced Product tracking automation system using Qt 5 and C++
C++
47
star
9

xdsl-exporter

xDSL Prometheus Exporter
Go
45
star
10

Data-Mining-Algorithms

Data Mining Algorithms with C# using LINQ
C#
38
star
11

DentOS

Experimental Stand-alone 32-bit Kernel with Bootloader written in AT&T Assembly and Freestanding C
C
32
star
12

Monkey

Monkey Programming Language in Rust
Rust
31
star
13

TileMapGenerator

Create your own 2D Maps with layer-by-layer system using Noise-Sample and BufferedImage pattern
Java
26
star
14

Finite-State-Machine

Finite State Machine Library for .NET Core (with EASY and ADVANCED implementation)
C#
19
star
15

AsyncServerClient

AsyncServerClient is the simple, open-source, cross-platform Async TCP Server-Client project (with SQL and 3-Way Handshaking support) for .NET Assemblies built in .NET Core
C#
18
star
16

MMM-ArduPort

This is a module for the MagicMirror² smart mirror project. This module provides Arduino serial communication support with Raspberry PI.
JavaScript
17
star
17

cosigneth

Container Image Signing & Verifying on Ethereum [Testnet]
TypeScript
17
star
18

obscure-go

In-memory security with secure data types
Go
16
star
19

go-tilde-operator

PoC: How to make ~ work on Go Compiler
16
star
20

DLL-Injection-with-Assembly

DLL Injection to Exe with Assembly using OllyDbg
Assembly
16
star
21

remind-us

Schedule and generate custom reminders and send via custom alerters.
Go
12
star
22

EasySSA

An EASY and ADVANCED extention to handle TCP/IP Packets [SecurityApi]
C#
8
star
23

AVR-Programming-with-Assembly

AVR Microcontroller Programming with Assembly
Assembly
8
star
24

ArduExams

Improve your Arduino knowledge with high quality questions and exams
C++
6
star
25

EasyBlockChain

A cryptocurrency C++ implementation using a BlockChain technology made for educational purposes only
C++
2
star
26

Data-Mining-with-Python

Data Mining with Python
2
star
27

Dentrax

2
star
28

ArduRMMMQ

Ardu[R]eal-Time Operating System [MM] Magic Mirror [MQ] MQ Gas Sensor - RTOS Project
C++
2
star
29

AMX_Manager

[AMX]: [A]dministrative [M]anager Tools for [X] Server (Linux Environment Only)
Shell
2
star
30

Maxiploit

Exploit penetration tool for [Online Games]. [In Development]
C#
1
star
31

FollowUp-System-Automation

Simple Follow up Automation Example
Java
1
star
32

EasyProviders

An EASY and ADVANCED way to handle providers/services/managers/singletons systems with [EasyProvides .NET CORE Library]
C#
1
star
33

LedLooper-with-Assembly

Embedded Assembly LED project that uses AVR Microcontroller with Arduino
Assembly
1
star
34

EasySQLITE

An EASY and ADVANCED way to handle [SQLITE] Simple!, Lifesaver!, Friendly! ...
Java
1
star
35

k8s-response-engine-gke-functions

A simple demo about how to set up Kubernetes Respons Engine on GKE by using Google Cloud Functions, Falco and Falcosidekick
Go
1
star