Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Allow configurable client signing algorithms #1517

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Allow configurable client signing algorithms #1517

wants to merge 3 commits into from
+465 −44

Conversation

tetsuo-cpp
Copy link

@tetsuo-cpp tetsuo-cpp commented Jan 8, 2024
edited
Loading

Summary

This PR adds a --client-signing-algorithms flag to Fulcio to restrict what key/hash combinations are allowed.

Release Note

Documentation

@tetsuo-cpp tetsuo-cpp marked this pull request as draft January 8, 2024 11:21
@tetsuo-cpp
Copy link
Author

tetsuo-cpp commented Jan 8, 2024
edited
Loading

@woodruffw @ret2libc
As discussed, this is rough but I've opened it up for discussion since it probably makes sense to share some of this logic with Rekor. I haven't written Go before so please let me know if I'm not doing things idiomatically, I don't really know what I'm doing.

tetsuo-cpp
tetsuo-cpp commented Jan 8, 2024
View reviewed changes
pkg/server/algorithm_registry.go Outdated Show resolved Hide resolved
pkg/server/grpc_server.go Show resolved Hide resolved
pkg/server/algorithm_registry.go Outdated Show resolved Hide resolved
@tetsuo-cpp
Copy link
Author

I've shown in d95ff74 how we can use an enum in sigstore/protobuf-specs to avoid redundancy in Fulcio and Rekor in CLI parsing, etc.

tetsuo-cpp
tetsuo-cpp commented Jan 9, 2024
View reviewed changes
go.mod Outdated Show resolved Hide resolved
ret2libc
ret2libc reviewed Jan 9, 2024
View reviewed changes
cmd/app/serve.go Outdated Show resolved Hide resolved
pkg/server/grpc_server.go Show resolved Hide resolved
pkg/server/grpc_server.go Show resolved Hide resolved
pkg/server/grpc_server.go Show resolved Hide resolved
pkg/server/grpc_server.go Show resolved Hide resolved
@woodruffw
Copy link
Member

xref: sigstore/protobuf-specs#189 will ultimately standardize the full registry of signing algorithms, but doesn't block initial work here (since we know a couple of ECDSA variants that'll need verification support already).

@ret2libc ret2libc mentioned this pull request Jan 11, 2024
Closed
@tetsuo-cpp
Copy link
Author

I'll follow up with some unit tests tomorrow.

ret2libc
ret2libc reviewed Jan 29, 2024
View reviewed changes
cmd/app/serve.go Outdated
@@ -106,6 +109,7 @@ func newServeCmd() *cobra.Command {
cmd.Flags().Duration("read-header-timeout", 10*time.Second, "The time allowed to read the headers of the requests in seconds")
cmd.Flags().String("grpc-tls-certificate", "", "the certificate file to use for secure connections - only applies to grpc-port")
cmd.Flags().String("grpc-tls-key", "", "the private key file to use for secure connections (without passphrase) - only applies to grpc-port")
cmd.Flags().StringSlice("client-signing-algorithms", buildDefaultClientSigningAlgorithms([]v1.KnownSignatureAlgorithm{v1.KnownSignatureAlgorithm_ECDSA_SHA2_256_NISTP256, v1.KnownSignatureAlgorithm_ECDSA_SHA2_384_NISTP384, v1.KnownSignatureAlgorithm_ECDSA_SHA2_512_NISTP521, v1.KnownSignatureAlgorithm_ED25519}), "the list of allowed client signing algorithms")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we default to the 256 algos only right now? I think that's the most conservative option as it does not add new algos. Other SHAs were not working before.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering the same for Rekor as well.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I think that'd be a reasonable default.

tetsuo-cpp
tetsuo-cpp commented Jan 29, 2024
View reviewed changes
pkg/server/grpc_server_test.go
@@ -1182,6 +1188,94 @@ func TestAPIWithIssuerClaimConfig(t *testing.T) {
}
}

// Tests API with an RSA key
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't want to unit test the algorithm registry code too heavily here since that's sigstore/sigstore's responsibility.

I'm focusing on:

  • Testing that other key types work (RSA in this case).
  • Testing that non-permitted algorithms are rejected (ECDSA with P521 curve in this case).
  • Testing both the CSR and non-CSR paths.

@ret2libc ret2libc mentioned this pull request Feb 19, 2024
Merged
@woodruffw woodruffw mentioned this pull request Jan 21, 2025
Open
10 tasks
@ret2libc @tetsuo-cpp
Allow configurable client signing algorithms
117abc4 
Co-authored-by: Alex Cameron <asc@tetsuo.sh>
Co-authored-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
@ret2libc ret2libc force-pushed the alex/configurable-crypto branch from e4d084e to 117abc4 Compare January 30, 2025 11:01
@ret2libc
update go.mod
7c64410 
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
@ret2libc
grpc_server_test.go: remove duplicated comment
e65897c 
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
@ret2libc ret2libc mentioned this pull request Feb 5, 2025
Open
@ret2libc
Copy link

ret2libc commented Feb 5, 2025

I think we can close this in favour of #1938

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@ret2libc ret2libc ret2libc left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tetsuo-cpp @woodruffw @ret2libc