diff --git a/attestation/policyverify/policyverify.go b/attestation/policyverify/policyverify.go index 004bab24..867234d6 100644 --- a/attestation/policyverify/policyverify.go +++ b/attestation/policyverify/policyverify.go @@ -27,6 +27,7 @@ import ( ipolicy "github.com/in-toto/go-witness/internal/policy" "github.com/in-toto/go-witness/log" "github.com/in-toto/go-witness/policy" + "github.com/in-toto/go-witness/signer" "github.com/in-toto/go-witness/slsa" "github.com/in-toto/go-witness/source" "github.com/in-toto/go-witness/timestamp" @@ -54,10 +55,11 @@ type Attestor struct { *ipolicy.VerifyPolicySignatureOptions slsa.VerificationSummary - stepResults map[string]policy.StepResult - policyEnvelope dsse.Envelope - collectionSource source.Sourcer - subjectDigests []string + stepResults map[string]policy.StepResult + policyEnvelope dsse.Envelope + collectionSource source.Sourcer + subjectDigests []string + kmsProviderOptions map[string][]func(signer.SignerProvider) (signer.SignerProvider, error) } type Option func(*Attestor) @@ -76,6 +78,12 @@ func VerifyWithPolicyEnvelope(policyEnvelope dsse.Envelope) Option { } } +func VerifyWithKMSProviderOptions(opts map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)) Option { + return func(a *Attestor) { + a.kmsProviderOptions = opts + } +} + func VerifyWithSubjectDigests(subjectDigests []cryptoutil.DigestSet) Option { return func(vo *Attestor) { for _, set := range subjectDigests { @@ -149,7 +157,7 @@ func (a *Attestor) Attest(ctx *attestation.AttestationContext) error { return fmt.Errorf("failed to unmarshal policy from envelope: %w", err) } - pubKeysById, err := pol.PublicKeyVerifiers() + pubKeysById, err := pol.PublicKeyVerifiers(a.kmsProviderOptions) if err != nil { return fmt.Errorf("failed to get public keys from policy: %w", err) } diff --git a/policy/policy.go b/policy/policy.go index 81a4f34b..753186a2 100644 --- a/policy/policy.go +++ b/policy/policy.go @@ -25,6 +25,7 @@ import ( "github.com/in-toto/go-witness/attestation" "github.com/in-toto/go-witness/cryptoutil" + "github.com/in-toto/go-witness/signer" "github.com/in-toto/go-witness/signer/kms" "github.com/in-toto/go-witness/source" @@ -55,7 +56,7 @@ type PublicKey struct { } // PublicKeyVerifiers returns verifiers for each of the policy's embedded public keys grouped by the key's ID -func (p Policy) PublicKeyVerifiers() (map[string]cryptoutil.Verifier, error) { +func (p Policy) PublicKeyVerifiers(ko map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)) (map[string]cryptoutil.Verifier, error) { verifiers := make(map[string]cryptoutil.Verifier) var err error @@ -63,10 +64,32 @@ func (p Policy) PublicKeyVerifiers() (map[string]cryptoutil.Verifier, error) { var verifier cryptoutil.Verifier for _, prefix := range kms.SupportedProviders() { if strings.HasPrefix(key.KeyID, prefix) { - verifier, err = kms.New(kms.WithRef(key.KeyID), kms.WithHash("SHA256")).Verifier(context.TODO()) + ksp := kms.New(kms.WithRef(key.KeyID), kms.WithHash("SHA256")) + var vp signer.SignerProvider + for _, opt := range ksp.Options { + pn := opt.ProviderName() + for _, setter := range ko[pn] { + vp, err = setter(ksp) + if err != nil { + continue + } + } + } + + kspv, ok := vp.(*kms.KMSSignerProvider) + if !ok { + return nil, fmt.Errorf("provided verifier provider is not a KMS verifier provider") + } + + verifier, err = kspv.Verifier(context.TODO()) + if err != nil { + return nil, fmt.Errorf("failed to create kms verifier: %w", err) + } + if err != nil { return nil, fmt.Errorf("KMS Key ID recognized but not valid: %w", err) } + } } diff --git a/signer/kms/aws/client.go b/signer/kms/aws/client.go index 620b3e98..493ab1fc 100644 --- a/signer/kms/aws/client.go +++ b/signer/kms/aws/client.go @@ -23,6 +23,7 @@ import ( "fmt" "io" "net/http" + "os" "regexp" "strings" "time" @@ -303,7 +304,6 @@ func (a *awsClient) setupClient(ctx context.Context, ksp *kms.KMSSignerProvider) } opts := []func(*config.LoadOptions) error{} - if a.options.insecureSkipVerify { log.Warn("InsecureSkipVerify is enabled for AWS KMS attestor") opts = append(opts, config.WithHTTPClient(&http.Client{ @@ -320,6 +320,9 @@ func (a *awsClient) setupClient(ctx context.Context, ksp *kms.KMSSignerProvider) } log.Debug("Using file ", f, " as credentials file for AWS KMS provider") + if _, err := os.ReadFile(f); err != nil { + return fmt.Errorf("error reading credentials file: %w", err) + } opts = append(opts, config.WithSharedCredentialsFiles([]string{f})) } diff --git a/verify.go b/verify.go index f24b9224..fbe91cef 100644 --- a/verify.go +++ b/verify.go @@ -27,6 +27,7 @@ import ( "github.com/in-toto/go-witness/dsse" ipolicy "github.com/in-toto/go-witness/internal/policy" "github.com/in-toto/go-witness/policy" + "github.com/in-toto/go-witness/signer" "github.com/in-toto/go-witness/slsa" "github.com/in-toto/go-witness/source" "github.com/in-toto/go-witness/timestamp" @@ -49,6 +50,7 @@ type verifyOptions struct { verifyPolicySignatureOptions []ipolicy.Option runOptions []RunOption signers []cryptoutil.Signer + kmsProviderOptions map[string][]func(signer.SignerProvider) (signer.SignerProvider, error) } type VerifyOption func(*verifyOptions) @@ -121,6 +123,12 @@ func VerifyWithPolicyCAIntermediates(certs []*x509.Certificate) VerifyOption { } } +func VerifyWithKMSProviderOptions(opts map[string][]func(signer.SignerProvider) (signer.SignerProvider, error)) VerifyOption { + return func(vo *verifyOptions) { + vo.kmsProviderOptions = opts + } +} + type VerifyResult struct { RunResult VerificationSummary slsa.VerificationSummary @@ -148,7 +156,12 @@ func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers [ vo.runOptions = append(vo.runOptions, RunWithAttestors( []attestation.Attestor{ - policyverify.New(vo.attestorOptions...), + policyverify.New( + append( + []policyverify.Option{policyverify.VerifyWithKMSProviderOptions(vo.kmsProviderOptions)}, + vo.attestorOptions..., + )..., + ), }, ), )