Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configurable client signing algorithms #1517

Draft
wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

Allow configurable client signing algorithms #1517

wants to merge 10 commits into from

Conversation

tetsuo-cpp
Copy link

@tetsuo-cpp tetsuo-cpp commented Jan 8, 2024
edited
Loading

Summary

This PR adds a --client-signing-algorithms flag to Fulcio to restrict what key/hash combinations are allowed.

Release Note

Documentation

@tetsuo-cpp
Implement --client-signing-algorithms
61369a0 
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
@tetsuo-cpp
Fix type check
71fe98e 
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
@tetsuo-cpp tetsuo-cpp marked this pull request as draft January 8, 2024 11:21
@tetsuo-cpp
Copy link
Author

tetsuo-cpp commented Jan 8, 2024
edited
Loading

@woodruffw @ret2libc
As discussed, this is rough but I've opened it up for discussion since it probably makes sense to share some of this logic with Rekor. I haven't written Go before so please let me know if I'm not doing things idiomatically, I don't really know what I'm doing.

tetsuo-cpp
tetsuo-cpp commented Jan 8, 2024
View reviewed changes
pkg/server/algorithm_registry.go Outdated Show resolved Hide resolved
pkg/server/grpc_server.go Show resolved Hide resolved
pkg/server/algorithm_registry.go Outdated Show resolved Hide resolved
@tetsuo-cpp
Use SupportedAlgorithm spec type to parse configuration options
d95ff74 
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
@tetsuo-cpp
Copy link
Author

I've shown in d95ff74 how we can use an enum in sigstore/protobuf-specs to avoid redundancy in Fulcio and Rekor in CLI parsing, etc.

tetsuo-cpp
tetsuo-cpp commented Jan 9, 2024
View reviewed changes
go.mod Outdated Show resolved Hide resolved
ret2libc
ret2libc reviewed Jan 9, 2024
View reviewed changes
cmd/app/serve.go Outdated Show resolved Hide resolved
pkg/server/grpc_server.go Show resolved Hide resolved
pkg/server/grpc_server.go Show resolved Hide resolved
pkg/server/grpc_server.go Show resolved Hide resolved
pkg/server/grpc_server.go Show resolved Hide resolved
@woodruffw
Copy link
Member

xref: sigstore/protobuf-specs#189 will ultimately standardize the full registry of signing algorithms, but doesn't block initial work here (since we know a couple of ECDSA variants that'll need verification support already).

@tetsuo-cpp
Override the SHA-256 default in the case of ED25519
6208232 
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
@ret2libc ret2libc mentioned this pull request Jan 11, 2024
Closed
@tetsuo-cpp
Copy link
Author

I'll follow up with some unit tests tomorrow.

@tetsuo-cpp
Get unit tests passing
bde6e27 
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
@tetsuo-cpp
Add CSR unit tests
bda9c01 
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
@tetsuo-cpp
Add non-CSR unit tests
05a012b 
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
ret2libc
ret2libc reviewed Jan 29, 2024
View reviewed changes
cmd/app/serve.go
@@ -106,6 +109,7 @@ func newServeCmd() *cobra.Command {
cmd.Flags().Duration("read-header-timeout", 10*time.Second, "The time allowed to read the headers of the requests in seconds")
cmd.Flags().String("grpc-tls-certificate", "", "the certificate file to use for secure connections - only applies to grpc-port")
cmd.Flags().String("grpc-tls-key", "", "the private key file to use for secure connections (without passphrase) - only applies to grpc-port")
cmd.Flags().StringSlice("client-signing-algorithms", buildDefaultClientSigningAlgorithms([]v1.KnownSignatureAlgorithm{v1.KnownSignatureAlgorithm_ECDSA_SHA2_256_NISTP256, v1.KnownSignatureAlgorithm_ECDSA_SHA2_384_NISTP384, v1.KnownSignatureAlgorithm_ECDSA_SHA2_512_NISTP521, v1.KnownSignatureAlgorithm_ED25519}), "the list of allowed client signing algorithms")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we default to the 256 algos only right now? I think that's the most conservative option as it does not add new algos. Other SHAs were not working before.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering the same for Rekor as well.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I think that'd be a reasonable default.

tetsuo-cpp
tetsuo-cpp commented Jan 29, 2024
View reviewed changes
pkg/server/grpc_server_test.go
@@ -1182,6 +1188,94 @@ func TestAPIWithIssuerClaimConfig(t *testing.T) {
}
}

// Tests API with an RSA key
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't want to unit test the algorithm registry code too heavily here since that's sigstore/sigstore's responsibility.

I'm focusing on:

  • Testing that other key types work (RSA in this case).
  • Testing that non-permitted algorithms are rejected (ECDSA with P521 curve in this case).
  • Testing both the CSR and non-CSR paths.

@ret2libc ret2libc mentioned this pull request Feb 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ret2libc ret2libc ret2libc left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tetsuo-cpp @woodruffw @ret2libc