Add intermediate CA implementation with KMS-backed signer

This CA implementation will use an on-disk certificate chain and a remote KMS signer to sign certificates. There is validation on server startup that the provided chain matches the provided key. I've also added a utility to generate the intermediate certificate by calling GCP CA Service. This will be used to set up Fulcio. This also refactors the code to add an intermediate CA struct that implements the common methods. This makes it simple to add new intermediate CA types, with each only needing to provide a method to fetch a signer and certificate chain. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
sigstore · Mar 31, 2022 · 9f85490 · 9f85490
1 parent 765a06a
commit 9f85490
Show file tree

Hide file tree

Showing 12 changed files with 821 additions and 146 deletions.
diff --git a/cmd/app/serve.go b/cmd/app/serve.go
@@ -31,6 +31,7 @@ import (
 	"github.com/sigstore/fulcio/pkg/ca/ephemeralca"
 	"github.com/sigstore/fulcio/pkg/ca/fileca"
 	googlecav1 "github.com/sigstore/fulcio/pkg/ca/googleca/v1"
+	"github.com/sigstore/fulcio/pkg/ca/kmsca"
 	"github.com/sigstore/fulcio/pkg/ca/x509ca"
 	"github.com/sigstore/fulcio/pkg/config"
 	"github.com/sigstore/fulcio/pkg/ctl"
@@ -53,7 +54,7 @@ func newServeCmd() *cobra.Command {
 
 	cmd.Flags().StringVarP(&serveCmdConfigFilePath, "config", "c", "", "config file containing all settings")
 	cmd.Flags().String("log_type", "dev", "logger type to use (dev/prod)")
-	cmd.Flags().String("ca", "", "googleca | pkcs11ca | fileca | ephemeralca (for testing)")
+	cmd.Flags().String("ca", "", "googleca | pkcs11ca | fileca | kmsca | ephemeralca (for testing)")
 	cmd.Flags().String("aws-hsm-root-ca-path", "", "Path to root CA on disk (only used with AWS HSM)")
 	cmd.Flags().String("gcp_private_ca_parent", "", "private ca parent: /projects/<project>/locations/<location>/<name> (only used with --ca googleca)")
 	cmd.Flags().String("hsm-caroot-id", "", "HSM ID for Root CA (only used with --ca pkcs11ca)")
@@ -64,6 +65,8 @@ func newServeCmd() *cobra.Command {
 	cmd.Flags().String("fileca-key", "", "Path to CA encrypted private key")
 	cmd.Flags().String("fileca-key-passwd", "", "Password to decrypt CA private key")
 	cmd.Flags().Bool("fileca-watch", true, "Watch filesystem for updates")
+	cmd.Flags().String("kms-key", "", "KMS key resource path")
+	cmd.Flags().String("cert-chain-path", "", "Path to PEM-encoded CA certificate chain")
 	cmd.Flags().String("host", "0.0.0.0", "The host on which to serve requests")
 	cmd.Flags().String("port", "8080", "The port on which to serve requests")
 
@@ -101,7 +104,6 @@ func runServeCmd(cmd *cobra.Command, args []string) {
 			// There's a MarkDeprecated function in cobra/pflags, but it doesn't use log.Logger
 			log.Logger.Warn("gcp_private_ca_version is deprecated and will soon be removed; please remove it")
 		}
-
 	case "fileca":
 		if !viper.IsSet("fileca-cert") {
 			log.Logger.Fatal("fileca-cert must be set to certificate path when using fileca")
@@ -112,7 +114,13 @@ func runServeCmd(cmd *cobra.Command, args []string) {
 		if !viper.IsSet("fileca-key-passwd") {
 			log.Logger.Fatal("fileca-key-passwd must be set to encryption password for private key file when using fileca")
 		}
-
+	case "kmsca":
+		if !viper.IsSet("kms-key") {
+			log.Logger.Fatal("kms-key must be set when using kmsca")
+		}
+		if !viper.IsSet("cert-chain-path") {
+			log.Logger.Fatal("cert-chain-path must be set when using kmsca")
+		}
 	case "ephemeralca":
 		// this is a no-op since this is a self-signed in-memory CA for testing
 	default:
@@ -153,6 +161,8 @@ func runServeCmd(cmd *cobra.Command, args []string) {
 		baseca, err = fileca.NewFileCA(certFile, keyFile, keyPass, watch)
 	case "ephemeralca":
 		baseca, err = ephemeralca.NewEphemeralCA()
+	case "kmsca":
+		baseca, err = kmsca.NewKmsCA(cmd.Context(), viper.GetString("kms-key"), viper.GetString("cert-chain-path"))
 	default:
 		err = fmt.Errorf("invalid value for configured CA: %v", baseca)
 	}

diff --git a/go.mod b/go.mod
@@ -18,7 +18,7 @@ require (
 	github.com/prometheus/client_golang v1.12.1
 	github.com/prometheus/client_model v0.2.0
 	github.com/prometheus/common v0.33.0
-	github.com/sigstore/sigstore v1.2.1-0.20220328200116-ef48ee800626
+	github.com/sigstore/sigstore v1.2.1-0.20220330193110-d7475aecf1db
 	github.com/spf13/cobra v1.4.0
 	github.com/spf13/viper v1.10.1
 	github.com/stretchr/testify v1.7.1

diff --git a/go.sum b/go.sum
diff --git a/pkg/ca/fileca/fileca.go b/pkg/ca/fileca/fileca.go
@@ -16,24 +16,16 @@
 package fileca
 
 import (
-	"context"
 	"crypto"
-	"crypto/rand"
 	"crypto/x509"
-	"sync"
 
 	"github.com/fsnotify/fsnotify"
 	"github.com/sigstore/fulcio/pkg/ca"
-	"github.com/sigstore/fulcio/pkg/ca/x509ca"
-	"github.com/sigstore/fulcio/pkg/challenges"
-	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	"github.com/sigstore/fulcio/pkg/ca/intermediateca"
 )
 
 type fileCA struct {
-	sync.RWMutex
-
-	certs []*x509.Certificate
-	key   crypto.Signer
+	intermediateca.IntermediateCA
 }
 
 // NewFileCA returns a file backed certificate authority. Expects paths to a
@@ -43,7 +35,7 @@ func NewFileCA(certPath, keyPath, keyPass string, watch bool) (ca.CertificateAut
 	var fca fileCA
 
 	var err error
-	fca.certs, fca.key, err = loadKeyPair(certPath, keyPath, keyPass)
+	fca.Certs, fca.Signer, err = loadKeyPair(certPath, keyPath, keyPass)
 	if err != nil {
 		return nil, err
 	}
@@ -68,43 +60,13 @@ func NewFileCA(certPath, keyPath, keyPass string, watch bool) (ca.CertificateAut
 	return &fca, err
 }
 
-func (fca *fileCA) updateX509KeyPair(certs []*x509.Certificate, key crypto.Signer) {
+func (fca *fileCA) updateX509KeyPair(certs []*x509.Certificate, signer crypto.Signer) {
 	fca.Lock()
 	defer fca.Unlock()
 
 	// NB: We use the RWLock to unsure a reading thread can't get a mismatching
 	// cert / key pair by reading the attributes halfway through the update
 	// below.
-	fca.certs = certs
-	fca.key = key
-}
-
-func (fca *fileCA) getX509KeyPair() ([]*x509.Certificate, crypto.Signer) {
-	fca.RLock()
-	defer fca.RUnlock()
-	return fca.certs, fca.key
-}
-
-// CreateCertificate issues code signing certificates
-func (fca *fileCA) CreateCertificate(_ context.Context, subject *challenges.ChallengeResult) (*ca.CodeSigningCertificate, error) {
-	cert, err := x509ca.MakeX509(subject)
-	if err != nil {
-		return nil, err
-	}
-
-	certChain, privateKey := fca.getX509KeyPair()
-
-	finalCertBytes, err := x509.CreateCertificate(rand.Reader, cert, certChain[0], subject.PublicKey, privateKey)
-	if err != nil {
-		return nil, err
-	}
-
-	return ca.CreateCSCFromDER(subject, finalCertBytes, certChain)
-}
-
-func (fca *fileCA) Root(ctx context.Context) ([]byte, error) {
-	fca.RLock()
-	defer fca.RUnlock()
-
-	return cryptoutils.MarshalCertificatesToPEM(fca.certs)
+	fca.Certs = certs
+	fca.Signer = signer
 }
diff --git a/pkg/ca/fileca/fileca_test.go b/pkg/ca/fileca/fileca_test.go
@@ -57,7 +57,7 @@ func TestCertUpdate(t *testing.T) {
 		t.Fatal(`Bad CA type`)
 	}
 
-	_, key := fca.getX509KeyPair()
+	key := fca.Signer
 	if _, ok = key.(ed25519.PrivateKey); !ok {
 		t.Error(`first key should have been an ed25519 key`)
 	}
@@ -68,7 +68,7 @@ func TestCertUpdate(t *testing.T) {
 	}
 
 	fca.updateX509KeyPair(cert, key)
-	_, key = fca.getX509KeyPair()
+	key = fca.Signer
 
 	if _, ok = key.(*ecdsa.PrivateKey); !ok {
 		t.Fatal(`file CA should have been updated with ecdsa key`)

diff --git a/pkg/ca/fileca/load.go b/pkg/ca/fileca/load.go
@@ -18,71 +18,30 @@ package fileca
 import (
 	"bytes"
 	"crypto"
-	"crypto/ecdsa"
-	"crypto/ed25519"
-	"crypto/rsa"
 	"crypto/x509"
 	"errors"
+	"os"
+	"path/filepath"
 
+	"github.com/sigstore/fulcio/pkg/ca/intermediateca"
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"go.step.sm/crypto/pemutil"
 )
 
 func loadKeyPair(certPath, keyPath, keyPass string) ([]*x509.Certificate, crypto.Signer, error) {
-
 	var (
 		certs []*x509.Certificate
 		err   error
 		key   crypto.Signer
 	)
 
-	// NB: certs are ordered from leaf at certs[0] to root at
-	// certs[len(certs)-1]
-	certs, err = pemutil.ReadCertificateBundle(certPath)
+	data, err := os.ReadFile(filepath.Clean(certPath))
 	if err != nil {
 		return nil, nil, err
 	}
-
-	// Verify certificate chain
-	{
-		roots := x509.NewCertPool()
-		roots.AddCert(certs[len(certs)-1])
-
-		intermediates := x509.NewCertPool()
-		if len(certs) > 2 {
-			for _, intermediate := range certs[1 : len(certs)-1] {
-				intermediates.AddCert(intermediate)
-			}
-		}
-
-		opts := x509.VerifyOptions{
-			Roots:         roots,
-			Intermediates: intermediates,
-			KeyUsages: []x509.ExtKeyUsage{
-				x509.ExtKeyUsageCodeSigning,
-			},
-		}
-		if _, err := certs[0].Verify(opts); err != nil {
-			return nil, nil, err
-		}
-
-		if !certs[0].IsCA {
-			return nil, nil, errors.New(`fileca: certificate is not a CA`)
-		}
-
-		// If using an intermediate, verify that code signing extended key
-		// usage is set to satify extended key usage chainging
-		if len(certs) > 1 {
-			var hasExtKeyUsageCodeSigning bool
-			for _, extKeyUsage := range certs[0].ExtKeyUsage {
-				if extKeyUsage == x509.ExtKeyUsageCodeSigning {
-					hasExtKeyUsageCodeSigning = true
-					break
-				}
-			}
-			if !hasExtKeyUsageCodeSigning {
-				return nil, nil, errors.New(`fileca: certificate must have extended key usage code signing set to sign code signing certificates`)
-			}
-		}
+	certs, err = cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(data))
+	if err != nil {
+		return nil, nil, err
 	}
 
 	{
@@ -98,46 +57,9 @@ func loadKeyPair(certPath, keyPath, keyPass string) ([]*x509.Certificate, crypto
 		}
 	}
 
-	if !valid(certs[0], key) {
-		return nil, nil, errors.New(`fileca: certificate public key and private key don't match`)
+	if err := intermediateca.VerifyCertChain(certs, key); err != nil {
+		return nil, nil, err
 	}
 
 	return certs, key, nil
 }
-
-func valid(cert *x509.Certificate, key crypto.Signer) bool {
-	if cert == nil || key == nil {
-		return false
-	}
-
-	switch pub := cert.PublicKey.(type) {
-	case *rsa.PublicKey:
-		priv, ok := key.(*rsa.PrivateKey)
-		if !ok {
-			return false
-		}
-		if pub.N.Cmp(priv.N) != 0 {
-			return false
-		}
-	case *ecdsa.PublicKey:
-		priv, ok := key.(*ecdsa.PrivateKey)
-		if !ok {
-			return false
-		}
-		if pub.X.Cmp(priv.X) != 0 || pub.Y.Cmp(priv.Y) != 0 {
-			return false
-		}
-	case ed25519.PublicKey:
-		priv, ok := key.(ed25519.PrivateKey)
-		if !ok {
-			return false
-		}
-		if !bytes.Equal(priv.Public().(ed25519.PublicKey), pub) {
-			return false
-		}
-	default:
-		return false
-	}
-
-	return true
-}