Skip to content

Allow configurable client signing algorithms#1517

Closed
tetsuo-cpp wants to merge 3 commits intosigstore:mainfrom
trail-of-forks:alex/configurable-crypto
Closed

Allow configurable client signing algorithms#1517
tetsuo-cpp wants to merge 3 commits intosigstore:mainfrom
trail-of-forks:alex/configurable-crypto

Conversation

@tetsuo-cpp
Copy link
Copy Markdown
Contributor

@tetsuo-cpp tetsuo-cpp commented Jan 8, 2024
edited
Loading

Summary

This PR adds a --client-signing-algorithms flag to Fulcio to restrict what key/hash combinations are allowed.

Release Note

Documentation

@tetsuo-cpp tetsuo-cpp marked this pull request as draft January 8, 2024 11:21
@tetsuo-cpp
Copy link
Copy Markdown
Contributor Author

tetsuo-cpp commented Jan 8, 2024
edited
Loading

@woodruffw @ret2libc
As discussed, this is rough but I've opened it up for discussion since it probably makes sense to share some of this logic with Rekor. I haven't written Go before so please let me know if I'm not doing things idiomatically, I don't really know what I'm doing.

tetsuo-cpp
tetsuo-cpp commented Jan 8, 2024
View reviewed changes
@tetsuo-cpp
Copy link
Copy Markdown
Contributor Author

tetsuo-cpp commented Jan 9, 2024

I've shown in d95ff74 how we can use an enum in sigstore/protobuf-specs to avoid redundancy in Fulcio and Rekor in CLI parsing, etc.

tetsuo-cpp
tetsuo-cpp commented Jan 9, 2024
View reviewed changes
ret2libc
ret2libc reviewed Jan 9, 2024
View reviewed changes
@woodruffw
Copy link
Copy Markdown
Member

woodruffw commented Jan 9, 2024

xref: sigstore/protobuf-specs#189 will ultimately standardize the full registry of signing algorithms, but doesn't block initial work here (since we know a couple of ECDSA variants that'll need verification support already).

@ret2libc ret2libc mentioned this pull request Jan 11, 2024
Closed
@tetsuo-cpp
Copy link
Copy Markdown
Contributor Author

tetsuo-cpp commented Jan 28, 2024

I'll follow up with some unit tests tomorrow.

ret2libc
ret2libc reviewed Jan 29, 2024
View reviewed changes
cmd/app/serve.go Outdated
cmd.Flags().Duration("read-header-timeout", 10*time.Second, "The time allowed to read the headers of the requests in seconds")
cmd.Flags().String("grpc-tls-certificate", "", "the certificate file to use for secure connections - only applies to grpc-port")
cmd.Flags().String("grpc-tls-key", "", "the private key file to use for secure connections (without passphrase) - only applies to grpc-port")
cmd.Flags().StringSlice("client-signing-algorithms", buildDefaultClientSigningAlgorithms([]v1.KnownSignatureAlgorithm{v1.KnownSignatureAlgorithm_ECDSA_SHA2_256_NISTP256, v1.KnownSignatureAlgorithm_ECDSA_SHA2_384_NISTP384, v1.KnownSignatureAlgorithm_ECDSA_SHA2_512_NISTP521, v1.KnownSignatureAlgorithm_ED25519}), "the list of allowed client signing algorithms")
Copy link
Copy Markdown
Contributor

@ret2libc ret2libc Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we default to the 256 algos only right now? I think that's the most conservative option as it does not add new algos. Other SHAs were not working before.

Copy link
Copy Markdown
Contributor

@ret2libc ret2libc Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wondering the same for Rekor as well.

Copy link
Copy Markdown
Contributor Author

@tetsuo-cpp tetsuo-cpp Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I think that'd be a reasonable default.

tetsuo-cpp
tetsuo-cpp commented Jan 29, 2024
View reviewed changes
pkg/server/grpc_server_test.go
}
}

// Tests API with an RSA key
Copy link
Copy Markdown
Contributor Author

@tetsuo-cpp tetsuo-cpp Jan 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't want to unit test the algorithm registry code too heavily here since that's sigstore/sigstore's responsibility.

I'm focusing on:

  • Testing that other key types work (RSA in this case).
  • Testing that non-permitted algorithms are rejected (ECDSA with P521 curve in this case).
  • Testing both the CSR and non-CSR paths.

@ret2libc ret2libc mentioned this pull request Feb 19, 2024
Merged
@woodruffw woodruffw mentioned this pull request Jan 21, 2025
Open
10 tasks
@ret2libc @tetsuo-cpp
Allow configurable client signing algorithms
117abc4 
Co-authored-by: Alex Cameron <asc@tetsuo.sh>
Co-authored-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
Signed-off-by: Alex Cameron <asc@tetsuo.sh>
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
@ret2libc ret2libc force-pushed the alex/configurable-crypto branch from e4d084e to 117abc4 Compare January 30, 2025 11:01
@ret2libc
update go.mod
7c64410 
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
@ret2libc
grpc_server_test.go: remove duplicated comment
e65897c 
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
@ret2libc ret2libc mentioned this pull request Feb 5, 2025
Merged
@ret2libc
Copy link
Copy Markdown
Contributor

ret2libc commented Feb 5, 2025

I think we can close this in favour of #1938

@Hayden-IO Hayden-IO closed this Feb 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ret2libc ret2libc ret2libc left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tetsuo-cpp @woodruffw @ret2libc @Hayden-IO