-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add intermediate CA implementation with KMS-backed signer #496
Conversation
This is a good compromise between the various solutions. While an ephemeral key and certificate would be great, as discussed in #494, this doesn't work well with replicated instances. Moving to a KMS-backed signer gives us the ability to limit and audit signing key access. KMS will also enable us to have far more QPS than CA Service, and controlling the signer will let us implement embedded SCTs (PR coming right up!). With this design, we'll issue intermediates for the same lifetime as the root. I'd like to include the intermediate in the TUF targets to ease client discovery. Also this simplifies the revocation story - If the KMS signer is compromised, we simply remove the intermediate certificate from the TUF target metadata and add a new one. This design also mitigates an issue with |
cc @nsmith5 (Can't add you as a reviewer for some reason) |
Will investigate failing test - It's not failing locally for me. |
One last remark: I haven't added tests for |
9f85490
to
d13744d
Compare
Codecov Report
@@ Coverage Diff @@
## main #496 +/- ##
==========================================
- Coverage 47.97% 43.57% -4.41%
==========================================
Files 14 18 +4
Lines 1063 1221 +158
==========================================
+ Hits 510 532 +22
- Misses 480 615 +135
- Partials 73 74 +1
Continue to review full report at Codecov.
|
Failing test resolved, I switched to using a directory generated by the test library. |
Nice work! |
d13744d
to
6d2e577
Compare
Added tests for |
93fe5f1
to
cb422ed
Compare
cb422ed
to
fb2f3de
Compare
This looks great! |
c52f4b5
to
3e509fd
Compare
PR should be ready to go! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome! Really like the refactor into pkg/intermediateca
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work :D Just a nit about Kms versus KMS, but otherwise LGTM
72f22e6
to
2504406
Compare
Thanks! PR should be good to go unless there's any other comments. |
This CA implementation will use an on-disk certificate chain and a remote KMS signer to sign certificates. There is validation on server startup that the provided chain matches the provided key. I've also added a utility to generate the intermediate certificate by calling GCP CA Service. This will be used to set up Fulcio. This also refactors the code to add an intermediate CA struct that implements the common methods. This makes it simple to add new intermediate CA types, with each only needing to provide a method to fetch a signer and certificate chain. Signed-off-by: Hayden Blauzvern <[email protected]>
2504406
to
057be29
Compare
This CA implementation will use an on-disk certificate chain and a
remote KMS signer to sign certificates. There is validation on server
startup that the provided chain matches the provided key.
I've also added a utility to generate the intermediate certificate by
calling GCP CA Service. This will be used to set up Fulcio.
This also refactors the code to add an intermediate CA struct that
implements the common methods. This makes it simple to add new
intermediate CA types, with each only needing to provide a method to
fetch a signer and certificate chain.
Updated sigstore/sigstore to pull in the latest change to compare public keys.
Tested with:
go run pkg/ca/intermediateca/fetch_ca_cert/fetch_ca_cert.go --kms-key="gcpkms://projects/<project>/locations/us-central1/keyRings/test-key-ring/cryptoKeys/ca-key/versions/1" --gcp-ca-parent="projects/<project>/locations/us-west1/caPools/<pool>" --output="chain.crt.pem"
go run main.go serve --port 5555 --ca kmsca --ct-log-url="" --kms-key="gcpkms://projects/<project>/locations/us-central1/keyRings/test-key-ring/cryptoKeys/ca-key/versions/1" --cert-chain-path="chain.crt.pem"
Made a call using a script based on the load testing tool, got back a certificate chain.
Signed-off-by: Hayden Blauzvern [email protected]
Summary
Ticket Link
Fixes #489
Release Note