Skip to content

Commit

Permalink
KMS Support (#120)
Browse files Browse the repository at this point in the history
* first pass for implementing kms support

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* saving progress on hashtype flag for kms signer

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* saving kms progress for verifier

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* updating go mod

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* saving progrsss

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* review of AWS KMS signer and adding scrappy implementation of GCP Signer
- needs cleanup and testing

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* adding tests and some other changes

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* fixing license headers

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* fixing header

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* small refactor

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* adding hashicorp vault kms signer

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* small fixes

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* adding unfinished fake kms client

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* completing fake client for gcp

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* adding signer test for gcp

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* fixing local verification and adding support for PKCS #1 v1.5

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* the nested module isn't needed here

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* adding implementation for kms provider options

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* removing hashivault kms for now (not finished)

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* Resolve linter errors

Signed-off-by: John Kjell <john@testifysec.com>

* Remove unused function

Signed-off-by: John Kjell <john@testifysec.com>

* added all the obvious options for aws and gcp kms

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* fixing some linting errors

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* some refactors made in the quest of folding out a bug

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* making final changes for PR

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* added public key to parse function

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

* removing them again haha

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>

---------

Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk>
Signed-off-by: John Kjell <john@testifysec.com>
Co-authored-by: John Kjell <john@testifysec.com>
  • Loading branch information
ChaosInTheCRD and jkjell authored Feb 15, 2024
1 parent c5816df commit f7a1037
Show file tree
Hide file tree
Showing 19 changed files with 2,878 additions and 10 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@ log
sarif-report.json
test/log
.idea/
profile.cov
2 changes: 1 addition & 1 deletion attestation/context.go
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ func (ctx *AttestationContext) RunAttestors() error {

order := runTypeOrder()
for _, k := range order {
log.Debugf("starting %s attestors...", k.String())
log.Debugf("Starting %s attestors...", k.String())
for _, att := range attestors[k] {
log.Infof("Starting %v attestor...", att.Name())
ctx.runAttestor(att)
Expand Down
7 changes: 6 additions & 1 deletion cryptoutil/rsa.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,12 @@ func (v *RSAVerifier) Verify(data io.Reader, sig []byte) error {
Hash: v.hash,
}

return rsa.VerifyPSS(v.pub, v.hash, digest, sig, pssOpts)
// AWS KMS introduces the chance that attestations get signed by PKCS1v15 instead of PSS
if err := rsa.VerifyPSS(v.pub, v.hash, digest, sig, pssOpts); err != nil {
return rsa.VerifyPKCS1v15(v.pub, v.hash, digest, sig)
}

return nil
}

func (v *RSAVerifier) Bytes() ([]byte, error) {
Expand Down
52 changes: 52 additions & 0 deletions cryptoutil/util.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,21 @@ import (
"crypto/x509"
"encoding/hex"
"encoding/pem"
"errors"
"fmt"
"io"
)

// PEMType is a specific type for string constants used during PEM encoding and decoding
type PEMType string

const (
// PublicKeyPEMType is the string "PUBLIC KEY" to be used during PEM encoding and decoding
PublicKeyPEMType PEMType = "PUBLIC KEY"
// PKCS1PublicKeyPEMType is the string "RSA PUBLIC KEY" used to parse PKCS#1-encoded public keys
PKCS1PublicKeyPEMType PEMType = "RSA PUBLIC KEY"
)

type ErrUnsupportedPEM struct {
t string
}
Expand Down Expand Up @@ -85,6 +96,23 @@ func PublicPemBytes(pub interface{}) ([]byte, error) {
return pemBytes, err
}

// UnmarshalPEMToPublicKey converts a PEM-encoded byte slice into a crypto.PublicKey
func UnmarshalPEMToPublicKey(pemBytes []byte) (crypto.PublicKey, error) {
derBytes, _ := pem.Decode(pemBytes)
if derBytes == nil {
return nil, errors.New("PEM decoding failed")
}
switch derBytes.Type {
case string(PublicKeyPEMType):
return x509.ParsePKIXPublicKey(derBytes.Bytes)
case string(PKCS1PublicKeyPEMType):
return x509.ParsePKCS1PublicKey(derBytes.Bytes)
default:
return nil, fmt.Errorf("unknown Public key PEM file type: %v. Are you passing the correct public key?",
derBytes.Type)
}
}

func TryParsePEMBlock(block *pem.Block) (interface{}, error) {
if block == nil {
return nil, ErrInvalidPemBlock{}
Expand Down Expand Up @@ -147,3 +175,27 @@ func TryParseCertificate(data []byte) (*x509.Certificate, error) {

return cert, nil
}

// ComputeDigest calculates the digest value for the specified message using the supplied hash function
func ComputeDigest(rawMessage io.Reader, hashFunc crypto.Hash, supportedHashFuncs []crypto.Hash) ([]byte, crypto.Hash, error) {
var cryptoSignerOpts crypto.SignerOpts = hashFunc
hashedWith := cryptoSignerOpts.HashFunc()
if !isSupportedAlg(hashedWith, supportedHashFuncs) {
return nil, crypto.Hash(0), fmt.Errorf("unsupported hash algorithm: %q not in %v", hashedWith.String(), supportedHashFuncs)
}

digest, err := Digest(rawMessage, hashedWith)
return digest, hashedWith, err
}

func isSupportedAlg(alg crypto.Hash, supportedAlgs []crypto.Hash) bool {
if supportedAlgs == nil {
return true
}
for _, supportedAlg := range supportedAlgs {
if alg == supportedAlg {
return true
}
}
return false
}
27 changes: 26 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,16 @@ module github.com/in-toto/go-witness
go 1.21

require (
cloud.google.com/go/kms v1.15.2
github.com/aws/aws-sdk-go-v2 v1.17.5
github.com/aws/aws-sdk-go-v2/config v1.18.14
github.com/aws/aws-sdk-go-v2/service/kms v1.20.4
github.com/digitorus/pkcs7 v0.0.0-20230220124406-51331ccfc40f
github.com/digitorus/timestamp v0.0.0-20230220124323-d542479a2425
github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d
github.com/go-git/go-git/v5 v5.11.0
github.com/in-toto/archivista v0.2.0
github.com/jellydator/ttlcache/v3 v3.1.1
github.com/mattn/go-isatty v0.0.20
github.com/open-policy-agent/opa v0.49.2
github.com/owenrumney/go-sarif v1.1.1
Expand All @@ -21,9 +26,22 @@ require (
)

require (
cloud.google.com/go/compute v1.23.0 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
cloud.google.com/go/iam v1.1.2 // indirect
dario.cat/mergo v1.0.0 // indirect
filippo.io/edwards25519 v1.0.0 // indirect
github.com/agnivade/levenshtein v1.1.1 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.13.14 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.23 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.29 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.23 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.30 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.23 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.12.3 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.3 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.18.4 // indirect
github.com/aws/smithy-go v1.13.5 // indirect
github.com/cloudflare/circl v1.3.7 // indirect
github.com/coreos/go-oidc/v3 v3.5.0 // indirect
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
Expand All @@ -36,10 +54,14 @@ require (
github.com/google/flatbuffers v2.0.8+incompatible // indirect
github.com/google/go-containerregistry v0.13.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/s2a-go v0.1.4 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.2.4 // indirect
github.com/googleapis/gax-go/v2 v2.12.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
Expand All @@ -51,9 +73,12 @@ require (
github.com/tchap/go-patricia/v2 v2.3.1 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/zclconf/go-cty v1.12.1 // indirect
go.opencensus.io v0.24.0 // indirect
golang.org/x/mod v0.12.0 // indirect
golang.org/x/oauth2 v0.13.0 // indirect
golang.org/x/sync v0.5.0 // indirect
golang.org/x/tools v0.13.0 // indirect
google.golang.org/api v0.128.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect
Expand Down Expand Up @@ -93,7 +118,7 @@ require (
golang.org/x/term v0.15.0 // indirect
golang.org/x/text v0.14.0 // indirect
google.golang.org/genproto v0.0.0-20231012201019-e917dd12ba7a // indirect
google.golang.org/protobuf v1.32.0 // indirect
google.golang.org/protobuf v1.32.0
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
Expand Down
Loading

0 comments on commit f7a1037

Please sign in to comment.