Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added --client-signing-algorithms flag #1974

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions cmd/rekor-server/app/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,15 @@ import (
"net/http"
"net/http/pprof"
"os"
"sort"
"strings"
"time"

"github.com/go-chi/chi/middleware"
homedir "github.com/mitchellh/go-homedir"
"github.com/sigstore/rekor/pkg/api"
"github.com/sigstore/rekor/pkg/log"
"github.com/sigstore/sigstore/pkg/signature"
"github.com/spf13/cobra"
"github.com/spf13/viper"

Expand Down Expand Up @@ -137,6 +141,18 @@ Memory and file-based signers should only be used for testing.`)
rootCmd.PersistentFlags().String("http-request-id-header-name", middleware.RequestIDHeader, "name of HTTP Request Header to use as request correlation ID")
rootCmd.PersistentFlags().String("trace-string-prefix", "", "if set, this will be used to prefix the 'trace' field when outputting structured logs")

keyAlgorithmTypes := []string{}
for _, keyAlgorithm := range api.AllowedClientSigningAlgorithms {
keyFlag, err := signature.FormatSignatureAlgorithmFlag(keyAlgorithm)
if err != nil {
panic(err)
}
keyAlgorithmTypes = append(keyAlgorithmTypes, keyFlag)
}
sort.Strings(keyAlgorithmTypes)
keyAlgorithmHelp := fmt.Sprintf("signing algorithm to use for signing/hashing (allowed %s)", strings.Join(keyAlgorithmTypes, ", "))
rootCmd.PersistentFlags().StringSlice("client-signing-algorithms", keyAlgorithmTypes, keyAlgorithmHelp)
bobcallaway marked this conversation as resolved.
Show resolved Hide resolved

if err := viper.BindPFlags(rootCmd.PersistentFlags()); err != nil {
log.Logger.Fatal(err)
}
Expand Down
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -203,3 +203,5 @@ require (
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1 // indirect
)

replace github.com/sigstore/sigstore => github.com/trail-of-forks/sigstore v0.0.0-20240219090738-536a0415e570
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

still needs removed before merge

2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -422,6 +422,8 @@ github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qv
github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
github.com/trail-of-forks/sigstore v0.0.0-20240219090738-536a0415e570 h1:MK6kgPkHZkBbI1Lm1/iLPJQwTuWDkALKgOL4ede2VWA=
github.com/trail-of-forks/sigstore v0.0.0-20240219090738-536a0415e570/go.mod h1:uUGi88Pc0sTVnzNY5rmB3z7a2k83JHCZ/mTvoyPtwpQ=
github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A=
github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
Expand Down
41 changes: 41 additions & 0 deletions pkg/api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
"google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"

v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
"github.com/sigstore/rekor/pkg/indexstorage"
"github.com/sigstore/rekor/pkg/log"
"github.com/sigstore/rekor/pkg/pubsub"
Expand Down Expand Up @@ -71,8 +72,21 @@ type API struct {
// Publishes notifications when new entries are added to the log. May be
// nil if no publisher is configured.
newEntryPublisher pubsub.Publisher
algorithmRegistry *signature.AlgorithmRegistryConfig
}

var AllowedClientSigningAlgorithms = []v1.PublicKeyDetails{
v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256,
v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256,
v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256,
v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256,
v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384,
v1.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512,
v1.PublicKeyDetails_PKIX_ED25519,
v1.PublicKeyDetails_PKIX_ED25519_PH,
}
var DefaultClientSigningAlgorithms = AllowedClientSigningAlgorithms

func NewAPI(treeID uint) (*API, error) {
logRPCServer := fmt.Sprintf("%s:%d",
viper.GetString("trillian_log_server.address"),
Expand Down Expand Up @@ -103,6 +117,32 @@ func NewAPI(treeID uint) (*API, error) {
log.Logger.Infof("Starting Rekor server with active tree %v", tid)
ranges.SetActive(tid)

algorithmsOption := viper.GetStringSlice("client-signing-algorithms")
var algorithms []v1.PublicKeyDetails
if algorithmsOption == nil {
algorithms = DefaultClientSigningAlgorithms
} else {
for _, a := range algorithmsOption {
algorithm, err := signature.ParseSignatureAlgorithmFlag(a)
if err != nil {
return nil, fmt.Errorf("parsing signature algorithm flag: %w", err)
}
algorithms = append(algorithms, algorithm)
}
}
algorithmsStr := make([]string, len(algorithms))
for i, a := range algorithms {
algorithmsStr[i], err = signature.FormatSignatureAlgorithmFlag(a)
if err != nil {
return nil, fmt.Errorf("formatting signature algorithm flag: %w", err)
}
}
algorithmRegistry, err := signature.NewAlgorithmRegistryConfig(algorithms)
if err != nil {
return nil, fmt.Errorf("getting algorithm registry: %w", err)
}
log.Logger.Infof("Allowed client signing algorithms: %v", algorithmsStr)

rekorSigner, err := signer.New(ctx, viper.GetString("rekor_server.signer"),
viper.GetString("rekor_server.signer-passwd"))
if err != nil {
Expand Down Expand Up @@ -143,6 +183,7 @@ func NewAPI(treeID uint) (*API, error) {
signer: rekorSigner,
// Utility functionality not required for operation of the core service
newEntryPublisher: newEntryPublisher,
algorithmRegistry: algorithmRegistry,
}, nil
}

Expand Down
76 changes: 76 additions & 0 deletions pkg/api/entries.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,12 +18,18 @@ package api
import (
"bytes"
"context"
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/rsa"
"crypto/x509"
"encoding/hex"
"errors"
"fmt"
"net/http"
"net/url"
"strconv"
"strings"
"time"

"github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer"
Expand Down Expand Up @@ -179,12 +185,82 @@ func GetLogEntryByIndexHandler(params entries.GetLogEntryByIndexParams) middlewa
return entries.NewGetLogEntryByIndexOK().WithPayload(logEntry)
}

func checkEntryAlgorithms(entry types.EntryImpl) (bool, error) {
verifiers, err := entry.Verifiers()
if err != nil {
return false, fmt.Errorf("getting verifiers: %w", err)
}
// Default to SHA256 if no artifact hash is specified
artifactHashValue := crypto.SHA256
// Get artifact hash from entry
artifactHash, err := entry.ArtifactHash()
if err == nil {
var artifactHashAlgorithm string
algoPosition := strings.Index(artifactHash, ":")
if algoPosition != -1 {
artifactHashAlgorithm = artifactHash[:algoPosition]
}
switch artifactHashAlgorithm {
case "sha256":
artifactHashValue = crypto.SHA256
case "sha384":
artifactHashValue = crypto.SHA384
case "sha512":
artifactHashValue = crypto.SHA512
default:
artifactHashValue = crypto.SHA256
}
}

// Check if all the verifiers public keys (together with the ArtifactHash)
// are allowed according to the policy
for _, v := range verifiers {
identities, err := v.Identities()
if err != nil {
return false, fmt.Errorf("getting identities: %w", err)
}

for _, identity := range identities {
var publicKey crypto.PublicKey
switch identityCrypto := identity.Crypto.(type) {
case *x509.Certificate:
publicKey = identityCrypto.PublicKey
case *rsa.PublicKey:
publicKey = identityCrypto
case *ecdsa.PublicKey:
publicKey = identityCrypto
case ed25519.PublicKey:
publicKey = identityCrypto
default:
continue
}
isPermitted, err := api.algorithmRegistry.IsAlgorithmPermitted(publicKey, artifactHashValue)
if err != nil {
return false, fmt.Errorf("checking if algorithm is permitted: %w", err)
}
if !isPermitted {
return false, nil
}
}
}
return true, nil
}

func createLogEntry(params entries.CreateLogEntryParams) (models.LogEntry, middleware.Responder) {
ctx := params.HTTPRequest.Context()
entry, err := types.CreateVersionedEntry(params.ProposedEntry)
if err != nil {
return nil, handleRekorAPIError(params, http.StatusBadRequest, err, fmt.Sprintf(validationError, err))
}

areEntryAlgorithmsAllowed, err := checkEntryAlgorithms(entry)
if err != nil {
return nil, handleRekorAPIError(params, http.StatusBadRequest, err, fmt.Sprintf(validationError, err))
}
if !areEntryAlgorithmsAllowed {
return nil, handleRekorAPIError(params, http.StatusBadRequest, errors.New("entry algorithms are not allowed"), fmt.Sprintf(validationError, "entry algorithms are not allowed"))
}

leaf, err := types.CanonicalizeEntry(ctx, entry)
if err != nil {
if _, ok := (err).(types.ValidationError); ok {
Expand Down
22 changes: 22 additions & 0 deletions pkg/types/jar/v0.0.1/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -324,6 +324,28 @@ func (v *V001Entry) CreateFromArtifactProperties(ctx context.Context, props type
}
re.JARModel.Archive.Content = (strfmt.Base64)(artifactBytes)

keyObj, sigObj, err := re.fetchExternalEntities(ctx)
if err != nil {
return nil, fmt.Errorf("error retrieving external entities: %v", err)
}

// need to canonicalize key content
keyContent, err := keyObj.CanonicalValue()
if err != nil {
return nil, err
}
sigContent, err := sigObj.CanonicalValue()
if err != nil {
return nil, err
}

re.JARModel.Signature = &models.JarV001SchemaSignature{
PublicKey: &models.JarV001SchemaSignaturePublicKey{
Content: (*strfmt.Base64)(&keyContent),
},
Content: sigContent,
}

if err := re.validate(); err != nil {
return nil, err
}
Expand Down
Loading