KMS Support (#120)

* first pass for implementing kms support Signed-off-by: chaosinthecrd <[email protected]> * saving progress on hashtype flag for kms signer Signed-off-by: chaosinthecrd <[email protected]> * saving kms progress for verifier Signed-off-by: chaosinthecrd <[email protected]> * updating go mod Signed-off-by: chaosinthecrd <[email protected]> * saving progrsss Signed-off-by: chaosinthecrd <[email protected]> * review of AWS KMS signer and adding scrappy implementation of GCP Signer - needs cleanup and testing Signed-off-by: chaosinthecrd <[email protected]> * adding tests and some other changes Signed-off-by: chaosinthecrd <[email protected]> * fixing license headers Signed-off-by: chaosinthecrd <[email protected]> * fixing header Signed-off-by: chaosinthecrd <[email protected]> * small refactor Signed-off-by: chaosinthecrd <[email protected]> * adding hashicorp vault kms signer Signed-off-by: chaosinthecrd <[email protected]> * small fixes Signed-off-by: chaosinthecrd <[email protected]> * adding unfinished fake kms client Signed-off-by: chaosinthecrd <[email protected]> * completing fake client for gcp Signed-off-by: chaosinthecrd <[email protected]> * adding signer test for gcp Signed-off-by: chaosinthecrd <[email protected]> * fixing local verification and adding support for PKCS #1 v1.5 Signed-off-by: chaosinthecrd <[email protected]> * the nested module isn't needed here Signed-off-by: chaosinthecrd <[email protected]> * adding implementation for kms provider options Signed-off-by: chaosinthecrd <[email protected]> * removing hashivault kms for now (not finished) Signed-off-by: chaosinthecrd <[email protected]> * Resolve linter errors Signed-off-by: John Kjell <[email protected]> * Remove unused function Signed-off-by: John Kjell <[email protected]> * added all the obvious options for aws and gcp kms Signed-off-by: chaosinthecrd <[email protected]> * fixing some linting errors Signed-off-by: chaosinthecrd <[email protected]> * some refactors made in the quest of folding out a bug Signed-off-by: chaosinthecrd <[email protected]> * making final changes for PR Signed-off-by: chaosinthecrd <[email protected]> * added public key to parse function Signed-off-by: chaosinthecrd <[email protected]> * removing them again haha Signed-off-by: chaosinthecrd <[email protected]> --------- Signed-off-by: chaosinthecrd <[email protected]> Signed-off-by: John Kjell <[email protected]> Co-authored-by: John Kjell <[email protected]>
in-toto · Feb 15, 2024 · f7a1037 · f7a1037
1 parent c5816df
commit f7a1037
Show file tree

Hide file tree

Showing 19 changed files with 2,878 additions and 10 deletions.
diff --git a/.gitignore b/.gitignore
@@ -13,3 +13,4 @@ log
 sarif-report.json
 test/log
 .idea/
+profile.cov
diff --git a/attestation/context.go b/attestation/context.go
@@ -137,7 +137,7 @@ func (ctx *AttestationContext) RunAttestors() error {
 
 	order := runTypeOrder()
 	for _, k := range order {
-		log.Debugf("starting %s attestors...", k.String())
+		log.Debugf("Starting %s attestors...", k.String())
 		for _, att := range attestors[k] {
 			log.Infof("Starting %v attestor...", att.Name())
 			ctx.runAttestor(att)

diff --git a/cryptoutil/rsa.go b/cryptoutil/rsa.go
@@ -76,7 +76,12 @@ func (v *RSAVerifier) Verify(data io.Reader, sig []byte) error {
 		Hash:       v.hash,
 	}
 
-	return rsa.VerifyPSS(v.pub, v.hash, digest, sig, pssOpts)
+	// AWS KMS introduces the chance that attestations get signed by PKCS1v15 instead of PSS
+	if err := rsa.VerifyPSS(v.pub, v.hash, digest, sig, pssOpts); err != nil {
+		return rsa.VerifyPKCS1v15(v.pub, v.hash, digest, sig)
+	}
+
+	return nil
 }
 
 func (v *RSAVerifier) Bytes() ([]byte, error) {

diff --git a/cryptoutil/util.go b/cryptoutil/util.go
@@ -20,10 +20,21 @@ import (
 	"crypto/x509"
 	"encoding/hex"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"io"
 )
 
+// PEMType is a specific type for string constants used during PEM encoding and decoding
+type PEMType string
+
+const (
+	// PublicKeyPEMType is the string "PUBLIC KEY" to be used during PEM encoding and decoding
+	PublicKeyPEMType PEMType = "PUBLIC KEY"
+	// PKCS1PublicKeyPEMType is the string "RSA PUBLIC KEY" used to parse PKCS#1-encoded public keys
+	PKCS1PublicKeyPEMType PEMType = "RSA PUBLIC KEY"
+)
+
 type ErrUnsupportedPEM struct {
 	t string
 }
@@ -85,6 +96,23 @@ func PublicPemBytes(pub interface{}) ([]byte, error) {
 	return pemBytes, err
 }
 
+// UnmarshalPEMToPublicKey converts a PEM-encoded byte slice into a crypto.PublicKey
+func UnmarshalPEMToPublicKey(pemBytes []byte) (crypto.PublicKey, error) {
+	derBytes, _ := pem.Decode(pemBytes)
+	if derBytes == nil {
+		return nil, errors.New("PEM decoding failed")
+	}
+	switch derBytes.Type {
+	case string(PublicKeyPEMType):
+		return x509.ParsePKIXPublicKey(derBytes.Bytes)
+	case string(PKCS1PublicKeyPEMType):
+		return x509.ParsePKCS1PublicKey(derBytes.Bytes)
+	default:
+		return nil, fmt.Errorf("unknown Public key PEM file type: %v. Are you passing the correct public key?",
+			derBytes.Type)
+	}
+}
+
 func TryParsePEMBlock(block *pem.Block) (interface{}, error) {
 	if block == nil {
 		return nil, ErrInvalidPemBlock{}
@@ -147,3 +175,27 @@ func TryParseCertificate(data []byte) (*x509.Certificate, error) {
 
 	return cert, nil
 }
+
+// ComputeDigest calculates the digest value for the specified message using the supplied hash function
+func ComputeDigest(rawMessage io.Reader, hashFunc crypto.Hash, supportedHashFuncs []crypto.Hash) ([]byte, crypto.Hash, error) {
+	var cryptoSignerOpts crypto.SignerOpts = hashFunc
+	hashedWith := cryptoSignerOpts.HashFunc()
+	if !isSupportedAlg(hashedWith, supportedHashFuncs) {
+		return nil, crypto.Hash(0), fmt.Errorf("unsupported hash algorithm: %q not in %v", hashedWith.String(), supportedHashFuncs)
+	}
+
+	digest, err := Digest(rawMessage, hashedWith)
+	return digest, hashedWith, err
+}
+
+func isSupportedAlg(alg crypto.Hash, supportedAlgs []crypto.Hash) bool {
+	if supportedAlgs == nil {
+		return true
+	}
+	for _, supportedAlg := range supportedAlgs {
+		if alg == supportedAlg {
+			return true
+		}
+	}
+	return false
+}
diff --git a/go.mod b/go.mod
@@ -3,11 +3,16 @@ module github.com/in-toto/go-witness
 go 1.21
 
 require (
+	cloud.google.com/go/kms v1.15.2
+	github.com/aws/aws-sdk-go-v2 v1.17.5
+	github.com/aws/aws-sdk-go-v2/config v1.18.14
+	github.com/aws/aws-sdk-go-v2/service/kms v1.20.4
 	github.com/digitorus/pkcs7 v0.0.0-20230220124406-51331ccfc40f
 	github.com/digitorus/timestamp v0.0.0-20230220124323-d542479a2425
 	github.com/edwarnicke/gitoid v0.0.0-20220710194850-1be5bfda1f9d
 	github.com/go-git/go-git/v5 v5.11.0
 	github.com/in-toto/archivista v0.2.0
+	github.com/jellydator/ttlcache/v3 v3.1.1
 	github.com/mattn/go-isatty v0.0.20
 	github.com/open-policy-agent/opa v0.49.2
 	github.com/owenrumney/go-sarif v1.1.1
@@ -21,9 +26,22 @@ require (
 )
 
 require (
+	cloud.google.com/go/compute v1.23.0 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cloud.google.com/go/iam v1.1.2 // indirect
 	dario.cat/mergo v1.0.0 // indirect
 	filippo.io/edwards25519 v1.0.0 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.14 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.23 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.29 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.23 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.30 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.23 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.18.4 // indirect
+	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/coreos/go-oidc/v3 v3.5.0 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
@@ -36,10 +54,14 @@ require (
 	github.com/google/flatbuffers v2.0.8+incompatible // indirect
 	github.com/google/go-containerregistry v0.13.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/s2a-go v0.1.4 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
@@ -51,9 +73,12 @@ require (
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/zclconf/go-cty v1.12.1 // indirect
+	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/oauth2 v0.13.0 // indirect
+	golang.org/x/sync v0.5.0 // indirect
 	golang.org/x/tools v0.13.0 // indirect
+	google.golang.org/api v0.128.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231002182017-d307bd883b97 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect
@@ -93,7 +118,7 @@ require (
 	golang.org/x/term v0.15.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/genproto v0.0.0-20231012201019-e917dd12ba7a // indirect
-	google.golang.org/protobuf v1.32.0 // indirect
+	google.golang.org/protobuf v1.32.0
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect