cmd/tailscale,ipn: implement lock sign command

Signed-off-by: Tom DNetto <tom@tailscale.com>

ipn/ipnlocal/network-lock.go

@@ -430,6 +430,47 @@ func (b *LocalBackend) NetworkLockKeyTrustedForTest(keyID tkatype.KeyID) bool {
 	return b.tka.authority.KeyTrusted(keyID)
 }
 
+// NetworkLockSign signs the given node-key and submits it to the control plane.
+// rotationPublic, if specified, must be an ed25519 public key.
+func (b *LocalBackend) NetworkLockSign(nodeKey key.NodePublic, rotationPublic []byte) error {
+	ourNodeKey, sig, err := func(nodeKey key.NodePublic, rotationPublic []byte) (key.NodePublic, tka.NodeKeySignature, error) {
+		b.mu.Lock()
+		defer b.mu.Unlock()
+
+		if b.tka == nil {
+			return key.NodePublic{}, tka.NodeKeySignature{}, errNetworkLockNotActive
+		}
+		if !b.tka.authority.KeyTrusted(b.nlPrivKey.KeyID()) {
+			return key.NodePublic{}, tka.NodeKeySignature{}, errors.New("this node is not trusted by network lock")
+		}
+
+		p, err := nodeKey.MarshalBinary()
+		if err != nil {
+			return key.NodePublic{}, tka.NodeKeySignature{}, err
+		}
+		sig := tka.NodeKeySignature{
+			SigKind:        tka.SigDirect,
+			KeyID:          b.nlPrivKey.KeyID(),
+			Pubkey:         p,
+			WrappingPubkey: rotationPublic,
+		}
+		sig.Signature, err = b.nlPrivKey.SignNKS(sig.SigHash())
+		if err != nil {
+			return key.NodePublic{}, tka.NodeKeySignature{}, fmt.Errorf("signature failed: %w", err)
+		}
+		return b.prefs.Persist().PublicNodeKey(), sig, nil
+	}(nodeKey, rotationPublic)
+	if err != nil {
+		return err
+	}
+
+	b.logf("Generated network-lock signature for %v, submitting to control plane", nodeKey)
+	if _, err := b.tkaSubmitSignature(ourNodeKey, sig.Serialize()); err != nil {
+		return err
+	}
+	return nil
+}
+
 // NetworkLockModify adds and/or removes keys in the tailnet's key authority.
 func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err error) {
 	defer func() {
@@ -817,3 +858,39 @@ func (b *LocalBackend) tkaDoDisablement(ourNodeKey key.NodePublic, head tka.AUMH
 
 	return a, nil
 }
+
+func (b *LocalBackend) tkaSubmitSignature(ourNodeKey key.NodePublic, sig tkatype.MarshaledSignature) (*tailcfg.TKASubmitSignatureResponse, error) {
+	var req bytes.Buffer
+	if err := json.NewEncoder(&req).Encode(tailcfg.TKASubmitSignatureRequest{
+		Version:   tailcfg.CurrentCapabilityVersion,
+		NodeKey:   ourNodeKey,
+		Signature: sig,
+	}); err != nil {
+		return nil, fmt.Errorf("encoding request: %v", err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+
+	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/sign", &req)
+	if err != nil {
+		return nil, fmt.Errorf("req: %w", err)
+	}
+	res, err := b.DoNoiseRequest(req2)
+	if err != nil {
+		return nil, fmt.Errorf("resp: %w", err)
+	}
+	if res.StatusCode != 200 {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+	}
+	a := new(tailcfg.TKASubmitSignatureResponse)
+	err = json.NewDecoder(&io.LimitedReader{R: res.Body, N: 1024 * 1024}).Decode(a)
+	res.Body.Close()
+	if err != nil {
+		return nil, fmt.Errorf("decoding JSON: %w", err)
+	}
+
+	return a, nil
+}