Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: adds cert-utility. #1870

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: adds cert-utility. #1870

wants to merge 2 commits into from
+940 −0

Conversation

ianhundere
Copy link

@ianhundere ianhundere commented Nov 21, 2024
edited
Loading

closes #1869

Summary

currently, there is no standard method for creating cert chains for fulcio or tsa. the community has used an assortment of open source scripts/tools, but i thought it would be nice to have a small cloud agnostic go app to create/sign (via awskms, cloudkms, or azurekms) certificates. the smallstep crypto library is fairly comprehensive in its kms/cert capabilities.

@haydentherapper / @bobcallaway gave the go ahead in proceeding w/ this work.

Release Note

  • Adds certificate utility to create and sign certificates via AWS KMS, Google Cloud KMS, or Azure Key Vault.

Documentation

Sigstore Certificate Maker

A tool for creating certificate chains for Sigstore services (Fulcio and Timestamp Authority).

Overview

This tool creates root and intermediate certificates for:

  • Fulcio (Code Signing Certificate Authority)

Requirements

  • Access to one of the supported KMS providers (AWS, Google Cloud, Azure)
  • Pre-existing KMS keys (the tool uses existing keys and does not create new ones)

Local Development

Clone and build the project locally:

# Clone the repository
git clone https://github.com/sigstore/fulcio

# Change to project directory
cd fulcio

# Build the binary
go build -o fulcio-certificate-maker ./cmd/certificate_maker

Usage

The tool can be configured using either command-line flags or environment variables.

Command-Line Interface

Available flags:

  • --kms-type: KMS provider type (awskms, cloudkms, azurekms)
  • --kms-region: KMS region (required for AWS KMS)
  • --root-key-id: KMS key identifier for root certificate
  • --intermediate-key-id: KMS key identifier for intermediate certificate
  • --kms-vault-name: Azure KMS vault name
  • --kms-tenant-id: Azure KMS tenant ID
  • --kms-credentials-file: Path to credentials file (for Google Cloud KMS)
  • --root-template: Path to root certificate template
  • --intermediate-template: Path to intermediate certificate template
  • --root-cert: Output path for root certificate (default: root.pem)
  • --intermediate-cert: Output path for intermediate certificate (default: intermediate.pem)

Environment Variables

  • KMS_TYPE: KMS provider type ("awskms", "cloudkms", "azurekms")
  • KMS_REGION: Region (required for AWS KMS, defaults to us-east-1)
  • ROOT_KEY_ID: Key identifier for root certificate
  • INTERMEDIATE_KEY_ID: Key identifier for intermediate certificate
  • KMS_VAULT_NAME: Azure Key Vault name
  • KMS_TENANT_ID: Azure tenant ID
  • KMS_CREDENTIALS_FILE: Path to credentials file (for Google Cloud KMS)

Provider-Specific Configuration Examples

AWS KMS

export KMS_TYPE=awskms
export KMS_REGION=us-east-1
export ROOT_KEY_ID=alias/fulcio-root
export INTERMEDIATE_KEY_ID=alias/fulcio-intermediate

Google Cloud KMS

export KMS_TYPE=cloudkms
export ROOT_KEY_ID=projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/root-key
export INTERMEDIATE_KEY_ID=projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/intermediate-key
export KMS_CREDENTIALS_FILE=/path/to/credentials.json

Azure KMS

export KMS_TYPE=azurekms
export ROOT_KEY_ID=root-key
export INTERMEDIATE_KEY_ID=intermediate-key
export KMS_VAULT_NAME=my-vault
export KMS_TENANT_ID=tenant-id

Example Templates

Fulcio Root Template

{
  "subject": {
    "country": ["US"],
    "organization": ["Sigstore"],
    "organizationalUnit": ["Fulcio Root CA"],
    "commonName": "https://fulcio.com"
  },
  "issuer": {
    "commonName": "https://fulcio.com"
  },
  "notBefore": "2024-01-01T00:00:00Z",
  "notAfter": "2034-01-01T00:00:00Z",
  "basicConstraints": {
    "isCA": true,
    "maxPathLen": 1
  },
  "keyUsage": [
    "certSign",
    "crlSign"
  ],
  "extKeyUsage": [
    "CodeSigning"
  ]
}

Fulcio Intermediate/Leaf Template

{
  "subject": {
    "country": ["US"],
    "organization": ["Sigstore"],
    "organizationalUnit": ["Fulcio Intermediate CA"],
    "commonName": "https://fulcio.com"
  },
  "issuer": {
    "commonName": "https://fulcio.com"
  },
  "notBefore": "2024-01-01T00:00:00Z",
  "notAfter": "2034-01-01T00:00:00Z",
  "serialNumber": 2,
  "basicConstraints": {
    "isCA": true,
    "maxPathLen": 0
  },
  "keyUsage": [
    "certSign",
    "crlSign",
    "digitalSignature"
  ],
  "extKeyUsage": [
    "CodeSigning"
  ]
}

Example Certificate Outputs

Fulcio Root CA Certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, O=Sigstore, OU=Fulcio Root CA, CN=https://fulcio.com
        Subject: C=US, O=Sigstore, OU=Fulcio Root CA, CN=https://fulcio.com
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Extended Key Usage:
                Code Signing

Fulcio Intermediate/Leaf Certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, O=Sigstore, OU=Fulcio Root CA, CN=https://fulcio.com
        Subject: C=US, O=Sigstore, OU=Fulcio Intermediate CA, CN=https://fulcio.com
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign, Digital Signature
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Extended Key Usage:
                Code Signing

Running the Tool

Example for Fulcio with AWS KMS:

fulcio-certificate-maker  create \
  --kms-type awskms \
  --kms-region us-east-1 \
  --root-key-id alias/fulcio-root \
  --intermediate-key-id alias/fulcio-intermediate \
  --root-template pkg/certmaker/templates/root-template.json \
  --intermediate-template pkg/certmaker/templates/intermediate-template.json

Build and Test

@ianhundere ianhundere changed the title feat: adds cert templates. feat: adds cert-utility. Nov 22, 2024
@codecov Codecov
Copy link

codecov bot commented Nov 22, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 49.03%. Comparing base (cf238ac) to head (450b214).
Report is 242 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1870      +/-   ##
==========================================
- Coverage   57.93%   49.03%   -8.90%     
==========================================
  Files          50       70      +20     
  Lines        3119     5204    +2085     
==========================================
+ Hits         1807     2552     +745     
- Misses       1154     2417    +1263     
- Partials      158      235      +77

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚨 Try these New Features:

@ianhundere
feat: adds cert templates.
0c4dff8 
Signed-off-by: ianhundere <[email protected]>
@ianhundere ianhundere force-pushed the feat/adds-cert-maker branch 4 times, most recently from 96fc8dc to 2fbc59f Compare November 25, 2024 18:19
@ianhundere ianhundere marked this pull request as ready for review November 25, 2024 20:18
@ianhundere
Copy link
Author

i think this is ready for some 👀

cc @haydentherapper

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

light tool to create/sign (via kms) certs (ca, leaf etc)
1 participant
@ianhundere