Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KMS Support #120

Merged
merged 41 commits into from
Feb 15, 2024
Merged
Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
4964a10
first pass for implementing kms support
ChaosInTheCRD Jan 8, 2024
0853850
saving progress on hashtype flag for kms signer
ChaosInTheCRD Jan 9, 2024
1af7687
saving kms progress for verifier
ChaosInTheCRD Jan 10, 2024
d14c4e9
updating go mod
ChaosInTheCRD Jan 10, 2024
ca228cb
Merge branch 'main' of github.com:in-toto/go-witness into kms-support
ChaosInTheCRD Jan 12, 2024
12deda2
saving progrsss
ChaosInTheCRD Jan 12, 2024
b8eee30
Merge branch 'main' of github.com:in-toto/go-witness into kms-support
ChaosInTheCRD Jan 17, 2024
eda08d5
review of AWS KMS signer and adding scrappy implementation of GCP Signer
ChaosInTheCRD Jan 17, 2024
d7d9b74
adding tests and some other changes
ChaosInTheCRD Jan 24, 2024
946e187
Merge branch 'main' into kms-support
ChaosInTheCRD Jan 24, 2024
6c1d8cf
fixing license headers
ChaosInTheCRD Jan 24, 2024
da26fe4
fixing header
ChaosInTheCRD Jan 24, 2024
f03a897
Merge branch 'main' of github.com:in-toto/go-witness into kms-support
ChaosInTheCRD Jan 24, 2024
c0151c7
Merge branch 'kms-support' of github.com:ChaosInTheCRD/go-witness int…
ChaosInTheCRD Jan 24, 2024
599b2cb
small refactor
ChaosInTheCRD Jan 24, 2024
0ccdf11
adding hashicorp vault kms signer
ChaosInTheCRD Jan 26, 2024
0ee5f0c
small fixes
ChaosInTheCRD Jan 26, 2024
0314ccf
adding unfinished fake kms client
ChaosInTheCRD Jan 29, 2024
429293f
completing fake client for gcp
ChaosInTheCRD Feb 1, 2024
c7c9329
adding signer test for gcp
ChaosInTheCRD Feb 1, 2024
e80d865
Merge branch 'main' into kms-support
ChaosInTheCRD Feb 1, 2024
0a45306
fixing local verification and adding support for PKCS #1 v1.5
ChaosInTheCRD Feb 1, 2024
0eac58e
Merge branch 'kms-support' of github.com:ChaosInTheCRD/go-witness int…
ChaosInTheCRD Feb 1, 2024
1f9f95e
Merge branch 'main' into kms-support
ChaosInTheCRD Feb 1, 2024
0c66e71
Merge branch 'main' of github.com:in-toto/go-witness into kms-support
ChaosInTheCRD Feb 6, 2024
df50669
the nested module isn't needed here
ChaosInTheCRD Feb 6, 2024
1a8a79c
Merge branch 'kms-support' of github.com:ChaosInTheCRD/go-witness int…
ChaosInTheCRD Feb 6, 2024
4c51653
adding implementation for kms provider options
ChaosInTheCRD Feb 8, 2024
54b1a51
removing hashivault kms for now (not finished)
ChaosInTheCRD Feb 8, 2024
363dcc6
Resolve linter errors
jkjell Feb 8, 2024
4f8cd73
Remove unused function
jkjell Feb 8, 2024
539f876
added all the obvious options for aws and gcp kms
ChaosInTheCRD Feb 12, 2024
07575d1
fixing some linting errors
ChaosInTheCRD Feb 12, 2024
41d3fa3
Merge branch 'main' into kms-support
ChaosInTheCRD Feb 12, 2024
ece6ed2
Merge branch 'main' into kms-support
ChaosInTheCRD Feb 12, 2024
fd9e21b
some refactors made in the quest of folding out a bug
ChaosInTheCRD Feb 13, 2024
7a9b1a8
Merge branch 'kms-support' of github.com:ChaosInTheCRD/go-witness int…
ChaosInTheCRD Feb 13, 2024
1680e8c
making final changes for PR
ChaosInTheCRD Feb 13, 2024
1571df7
Merge branch 'main' into kms-support
ChaosInTheCRD Feb 13, 2024
2d7d9f8
added public key to parse function
ChaosInTheCRD Feb 15, 2024
758242e
removing them again haha
ChaosInTheCRD Feb 15, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion cryptoutil/rsa.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,12 @@ func (v *RSAVerifier) Verify(data io.Reader, sig []byte) error {
Hash: v.hash,
}

return rsa.VerifyPSS(v.pub, v.hash, digest, sig, pssOpts)
// AWS KMS introduces the chance that attestations get signed by PKCS1v15 instead of PSS
if err := rsa.VerifyPSS(v.pub, v.hash, digest, sig, pssOpts); err != nil {
return rsa.VerifyPKCS1v15(v.pub, v.hash, digest, sig)
}

return nil
}

func (v *RSAVerifier) Bytes() ([]byte, error) {
Expand Down
52 changes: 52 additions & 0 deletions cryptoutil/util.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,21 @@ import (
"crypto/x509"
"encoding/hex"
"encoding/pem"
"errors"
"fmt"
"io"
)

// PEMType is a specific type for string constants used during PEM encoding and decoding
type PEMType string

const (
// PublicKeyPEMType is the string "PUBLIC KEY" to be used during PEM encoding and decoding
PublicKeyPEMType PEMType = "PUBLIC KEY"
// PKCS1PublicKeyPEMType is the string "RSA PUBLIC KEY" used to parse PKCS#1-encoded public keys
PKCS1PublicKeyPEMType PEMType = "RSA PUBLIC KEY"
)

type ErrUnsupportedPEM struct {
t string
}
Expand Down Expand Up @@ -85,6 +96,23 @@ func PublicPemBytes(pub interface{}) ([]byte, error) {
return pemBytes, err
}

// UnmarshalPEMToPublicKey converts a PEM-encoded byte slice into a crypto.PublicKey
func UnmarshalPEMToPublicKey(pemBytes []byte) (crypto.PublicKey, error) {
derBytes, _ := pem.Decode(pemBytes)
if derBytes == nil {
return nil, errors.New("PEM decoding failed")
}
switch derBytes.Type {
case string(PublicKeyPEMType):
return x509.ParsePKIXPublicKey(derBytes.Bytes)
case string(PKCS1PublicKeyPEMType):
return x509.ParsePKCS1PublicKey(derBytes.Bytes)
ChaosInTheCRD marked this conversation as resolved.
Show resolved Hide resolved
default:
return nil, fmt.Errorf("unknown Public key PEM file type: %v. Are you passing the correct public key?",
derBytes.Type)
}
}

func TryParsePEMBlock(block *pem.Block) (interface{}, error) {
if block == nil {
return nil, ErrInvalidPemBlock{}
Expand Down Expand Up @@ -147,3 +175,27 @@ func TryParseCertificate(data []byte) (*x509.Certificate, error) {

return cert, nil
}

// ComputeDigest calculates the digest value for the specified message using the supplied hash function
func ComputeDigest(rawMessage io.Reader, hashFunc crypto.Hash, supportedHashFuncs []crypto.Hash) ([]byte, crypto.Hash, error) {
var cryptoSignerOpts crypto.SignerOpts = hashFunc
hashedWith := cryptoSignerOpts.HashFunc()
if !isSupportedAlg(hashedWith, supportedHashFuncs) {
return nil, crypto.Hash(0), fmt.Errorf("unsupported hash algorithm: %q not in %v", hashedWith.String(), supportedHashFuncs)
}

digest, err := Digest(rawMessage, hashedWith)
return digest, hashedWith, err
}

func isSupportedAlg(alg crypto.Hash, supportedAlgs []crypto.Hash) bool {
if supportedAlgs == nil {
return true
}
for _, supportedAlg := range supportedAlgs {
if alg == supportedAlg {
return true
}
}
return false
}
23 changes: 20 additions & 3 deletions policy/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,14 @@ import (
"bytes"
"context"
"crypto/x509"
"fmt"
"strings"
"time"

"github.com/in-toto/go-witness/attestation"
"github.com/in-toto/go-witness/cryptoutil"
"github.com/in-toto/go-witness/log"
"github.com/in-toto/go-witness/signer/kms"
"github.com/in-toto/go-witness/source"

metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand Down Expand Up @@ -54,10 +57,24 @@ type PublicKey struct {
// PublicKeyVerifiers returns verifiers for each of the policy's embedded public keys grouped by the key's ID
func (p Policy) PublicKeyVerifiers() (map[string]cryptoutil.Verifier, error) {
verifiers := make(map[string]cryptoutil.Verifier)
var verifier cryptoutil.Verifier
var err error

for _, key := range p.PublicKeys {
verifier, err := cryptoutil.NewVerifierFromReader(bytes.NewReader(key.Key))
if err != nil {
return nil, err
for _, prefix := range kms.SupportedProviders() {
if strings.HasPrefix(key.KeyID, prefix) {
verifier, err = kms.New(kms.WithRef(key.KeyID), kms.WithHash("SHA256")).Verifier(context.TODO())
if err != nil {
return nil, fmt.Errorf("KMS Key ID recognized but not valid: %w", err)
}
}
}

if verifier == nil {
verifier, err = cryptoutil.NewVerifierFromReader(bytes.NewReader(key.Key))
if err != nil {
return nil, err
}
}

keyID, err := verifier.KeyID()
Expand Down
9 changes: 9 additions & 0 deletions registry/registry.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,16 @@ func (r Registry[T]) AllEntries() []Entry[T] {
}

return results
}

// AllEntries returns every Entry in the Registry that can be used as a Verifier
ChaosInTheCRD marked this conversation as resolved.
Show resolved Hide resolved
func (r Registry[T]) AllVerifierEntries() []Entry[T] {
results := make([]Entry[T], 0, len(r.entriesByName))
for _, registration := range r.entriesByName {
results = append(results, registration)
}

return results
}

// NewEntity creates a new entity with the the default options set
Expand Down
Loading
Loading