Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KMS Support #120

Merged
merged 41 commits into from
Feb 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
4964a10
first pass for implementing kms support
ChaosInTheCRD Jan 8, 2024
0853850
saving progress on hashtype flag for kms signer
ChaosInTheCRD Jan 9, 2024
1af7687
saving kms progress for verifier
ChaosInTheCRD Jan 10, 2024
d14c4e9
updating go mod
ChaosInTheCRD Jan 10, 2024
ca228cb
Merge branch 'main' of github.com:in-toto/go-witness into kms-support
ChaosInTheCRD Jan 12, 2024
12deda2
saving progrsss
ChaosInTheCRD Jan 12, 2024
b8eee30
Merge branch 'main' of github.com:in-toto/go-witness into kms-support
ChaosInTheCRD Jan 17, 2024
eda08d5
review of AWS KMS signer and adding scrappy implementation of GCP Signer
ChaosInTheCRD Jan 17, 2024
d7d9b74
adding tests and some other changes
ChaosInTheCRD Jan 24, 2024
946e187
Merge branch 'main' into kms-support
ChaosInTheCRD Jan 24, 2024
6c1d8cf
fixing license headers
ChaosInTheCRD Jan 24, 2024
da26fe4
fixing header
ChaosInTheCRD Jan 24, 2024
f03a897
Merge branch 'main' of github.com:in-toto/go-witness into kms-support
ChaosInTheCRD Jan 24, 2024
c0151c7
Merge branch 'kms-support' of github.com:ChaosInTheCRD/go-witness int…
ChaosInTheCRD Jan 24, 2024
599b2cb
small refactor
ChaosInTheCRD Jan 24, 2024
0ccdf11
adding hashicorp vault kms signer
ChaosInTheCRD Jan 26, 2024
0ee5f0c
small fixes
ChaosInTheCRD Jan 26, 2024
0314ccf
adding unfinished fake kms client
ChaosInTheCRD Jan 29, 2024
429293f
completing fake client for gcp
ChaosInTheCRD Feb 1, 2024
c7c9329
adding signer test for gcp
ChaosInTheCRD Feb 1, 2024
e80d865
Merge branch 'main' into kms-support
ChaosInTheCRD Feb 1, 2024
0a45306
fixing local verification and adding support for PKCS #1 v1.5
ChaosInTheCRD Feb 1, 2024
0eac58e
Merge branch 'kms-support' of github.com:ChaosInTheCRD/go-witness int…
ChaosInTheCRD Feb 1, 2024
1f9f95e
Merge branch 'main' into kms-support
ChaosInTheCRD Feb 1, 2024
0c66e71
Merge branch 'main' of github.com:in-toto/go-witness into kms-support
ChaosInTheCRD Feb 6, 2024
df50669
the nested module isn't needed here
ChaosInTheCRD Feb 6, 2024
1a8a79c
Merge branch 'kms-support' of github.com:ChaosInTheCRD/go-witness int…
ChaosInTheCRD Feb 6, 2024
4c51653
adding implementation for kms provider options
ChaosInTheCRD Feb 8, 2024
54b1a51
removing hashivault kms for now (not finished)
ChaosInTheCRD Feb 8, 2024
363dcc6
Resolve linter errors
jkjell Feb 8, 2024
4f8cd73
Remove unused function
jkjell Feb 8, 2024
539f876
added all the obvious options for aws and gcp kms
ChaosInTheCRD Feb 12, 2024
07575d1
fixing some linting errors
ChaosInTheCRD Feb 12, 2024
41d3fa3
Merge branch 'main' into kms-support
ChaosInTheCRD Feb 12, 2024
ece6ed2
Merge branch 'main' into kms-support
ChaosInTheCRD Feb 12, 2024
fd9e21b
some refactors made in the quest of folding out a bug
ChaosInTheCRD Feb 13, 2024
7a9b1a8
Merge branch 'kms-support' of github.com:ChaosInTheCRD/go-witness int…
ChaosInTheCRD Feb 13, 2024
1680e8c
making final changes for PR
ChaosInTheCRD Feb 13, 2024
1571df7
Merge branch 'main' into kms-support
ChaosInTheCRD Feb 13, 2024
2d7d9f8
added public key to parse function
ChaosInTheCRD Feb 15, 2024
758242e
removing them again haha
ChaosInTheCRD Feb 15, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@ log
sarif-report.json
test/log
.idea/
profile.cov
2 changes: 1 addition & 1 deletion attestation/context.go
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ func (ctx *AttestationContext) RunAttestors() error {

order := runTypeOrder()
for _, k := range order {
log.Debugf("starting %s attestors...", k.String())
log.Debugf("Starting %s attestors...", k.String())
for _, att := range attestors[k] {
log.Infof("Starting %v attestor...", att.Name())
ctx.runAttestor(att)
Expand Down
7 changes: 6 additions & 1 deletion cryptoutil/rsa.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,12 @@ func (v *RSAVerifier) Verify(data io.Reader, sig []byte) error {
Hash: v.hash,
}

return rsa.VerifyPSS(v.pub, v.hash, digest, sig, pssOpts)
// AWS KMS introduces the chance that attestations get signed by PKCS1v15 instead of PSS
if err := rsa.VerifyPSS(v.pub, v.hash, digest, sig, pssOpts); err != nil {
return rsa.VerifyPKCS1v15(v.pub, v.hash, digest, sig)
}

return nil
}

func (v *RSAVerifier) Bytes() ([]byte, error) {
Expand Down
52 changes: 52 additions & 0 deletions cryptoutil/util.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,21 @@ import (
"crypto/x509"
"encoding/hex"
"encoding/pem"
"errors"
"fmt"
"io"
)

// PEMType is a specific type for string constants used during PEM encoding and decoding
type PEMType string

const (
// PublicKeyPEMType is the string "PUBLIC KEY" to be used during PEM encoding and decoding
PublicKeyPEMType PEMType = "PUBLIC KEY"
// PKCS1PublicKeyPEMType is the string "RSA PUBLIC KEY" used to parse PKCS#1-encoded public keys
PKCS1PublicKeyPEMType PEMType = "RSA PUBLIC KEY"
)

type ErrUnsupportedPEM struct {
t string
}
Expand Down Expand Up @@ -85,6 +96,23 @@ func PublicPemBytes(pub interface{}) ([]byte, error) {
return pemBytes, err
}

// UnmarshalPEMToPublicKey converts a PEM-encoded byte slice into a crypto.PublicKey
func UnmarshalPEMToPublicKey(pemBytes []byte) (crypto.PublicKey, error) {
derBytes, _ := pem.Decode(pemBytes)
if derBytes == nil {
return nil, errors.New("PEM decoding failed")
}
switch derBytes.Type {
case string(PublicKeyPEMType):
return x509.ParsePKIXPublicKey(derBytes.Bytes)
case string(PKCS1PublicKeyPEMType):
return x509.ParsePKCS1PublicKey(derBytes.Bytes)
ChaosInTheCRD marked this conversation as resolved.
Show resolved Hide resolved
default:
return nil, fmt.Errorf("unknown Public key PEM file type: %v. Are you passing the correct public key?",
derBytes.Type)
}
}

func TryParsePEMBlock(block *pem.Block) (interface{}, error) {
if block == nil {
return nil, ErrInvalidPemBlock{}
Expand Down Expand Up @@ -147,3 +175,27 @@ func TryParseCertificate(data []byte) (*x509.Certificate, error) {

return cert, nil
}

// ComputeDigest calculates the digest value for the specified message using the supplied hash function
func ComputeDigest(rawMessage io.Reader, hashFunc crypto.Hash, supportedHashFuncs []crypto.Hash) ([]byte, crypto.Hash, error) {
var cryptoSignerOpts crypto.SignerOpts = hashFunc
hashedWith := cryptoSignerOpts.HashFunc()
if !isSupportedAlg(hashedWith, supportedHashFuncs) {
return nil, crypto.Hash(0), fmt.Errorf("unsupported hash algorithm: %q not in %v", hashedWith.String(), supportedHashFuncs)
}

digest, err := Digest(rawMessage, hashedWith)
return digest, hashedWith, err
}

func isSupportedAlg(alg crypto.Hash, supportedAlgs []crypto.Hash) bool {
if supportedAlgs == nil {
return true
}
for _, supportedAlg := range supportedAlgs {
if alg == supportedAlg {
return true
}
}
return false
}
27 changes: 26 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,16 @@ module github.com/in-toto/go-witness
go 1.21

require (
cloud.google.com/go/kms v1.15.2
github.com/aws/aws-sdk-go-v2 v1.17.5
github.com/aws/aws-sdk-go-v2/config v1.18.14
github.com/aws/aws-sdk-go-v2/service/kms v1.20.4
github.com/digitorus/pkcs7 v0.0.0-20230220124406-51331ccfc40f
github.com/digitorus/timestamp v0.0.0-20230220124323-d542479a2425
github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d
github.com/go-git/go-git/v5 v5.11.0
github.com/in-toto/archivista v0.2.0
github.com/jellydator/ttlcache/v3 v3.1.1
github.com/mattn/go-isatty v0.0.20
github.com/open-policy-agent/opa v0.49.2
github.com/owenrumney/go-sarif v1.1.1
Expand All @@ -21,9 +26,22 @@ require (
)

require (
cloud.google.com/go/compute v1.23.0 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
cloud.google.com/go/iam v1.1.2 // indirect
dario.cat/mergo v1.0.0 // indirect
filippo.io/edwards25519 v1.0.0 // indirect
github.com/agnivade/levenshtein v1.1.1 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.13.14 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.23 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.29 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.23 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.30 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.23 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.12.3 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.3 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.18.4 // indirect
github.com/aws/smithy-go v1.13.5 // indirect
github.com/cloudflare/circl v1.3.7 // indirect
github.com/coreos/go-oidc/v3 v3.5.0 // indirect
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
Expand All @@ -36,10 +54,14 @@ require (
github.com/google/flatbuffers v2.0.8+incompatible // indirect
github.com/google/go-containerregistry v0.13.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/s2a-go v0.1.4 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.2.4 // indirect
github.com/googleapis/gax-go/v2 v2.12.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
Expand All @@ -51,9 +73,12 @@ require (
github.com/tchap/go-patricia/v2 v2.3.1 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/zclconf/go-cty v1.12.1 // indirect
go.opencensus.io v0.24.0 // indirect
golang.org/x/mod v0.12.0 // indirect
golang.org/x/oauth2 v0.13.0 // indirect
golang.org/x/sync v0.5.0 // indirect
golang.org/x/tools v0.13.0 // indirect
google.golang.org/api v0.128.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect
Expand Down Expand Up @@ -93,7 +118,7 @@ require (
golang.org/x/term v0.15.0 // indirect
golang.org/x/text v0.14.0 // indirect
google.golang.org/genproto v0.0.0-20231012201019-e917dd12ba7a // indirect
google.golang.org/protobuf v1.32.0 // indirect
google.golang.org/protobuf v1.32.0
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
Expand Down
Loading