feat: add support for fulcio keyless signatures

- CA verification of policy - Get cert from fulcio
in-toto · May 9, 2022 · 98d8714 · 98d8714
1 parent b928ea1
commit 98d8714
Show file tree

Hide file tree

Showing 16 changed files with 521 additions and 119 deletions.
diff --git a/cmd/witness/cmd/keyloader.go b/cmd/witness/cmd/keyloader.go
@@ -0,0 +1,66 @@
+// Copyright 2022 The Witness Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/testifysec/witness/cmd/witness/options"
+	"github.com/testifysec/witness/pkg/cryptoutil"
+	"github.com/testifysec/witness/pkg/signer/file"
+	"github.com/testifysec/witness/pkg/signer/fulcio"
+	"github.com/testifysec/witness/pkg/signer/spiffe"
+)
+
+func loadSigners(ctx context.Context, ko options.KeyOptions) ([]cryptoutil.Signer, []error) {
+	signers := []cryptoutil.Signer{}
+	errors := []error{}
+
+	//Load key from fulcio
+	if ko.FulcioURL != "" {
+		fulcioSigner, err := fulcio.Signer(ctx, ko.FulcioURL, ko.OIDCClientID, ko.OIDCIssuer)
+		if err != nil {
+			err := fmt.Errorf("failed to create signer from Fulcio: %w", err)
+			errors = append(errors, err)
+		} else {
+			signers = append(signers, fulcioSigner)
+		}
+	}
+
+	//Load key from file
+	if ko.KeyPath != "" {
+		fileSigner, err := file.Signer(ctx, ko.KeyPath, ko.CertPath, ko.IntermediatePaths)
+		if err != nil {
+			err := fmt.Errorf("failed to create signer from file: %w", err)
+			errors = append(errors, err)
+		} else {
+			signers = append(signers, fileSigner)
+		}
+	}
+
+	//Load key from spire agent
+	if ko.SpiffePath != "" {
+		spiffeSigner, err := spiffe.Signer(ctx, ko.SpiffePath)
+		if err != nil {
+			err := fmt.Errorf("failed to create signer from spiffe: %w", err)
+			errors = append(errors, err)
+		} else {
+			signers = append(signers, spiffeSigner)
+		}
+	}
+
+	return signers, errors
+}
diff --git a/cmd/witness/cmd/root.go b/cmd/witness/cmd/root.go
@@ -15,16 +15,12 @@
 package cmd
 
 import (
-	"context"
 	"fmt"
 	"os"
 
 	"github.com/spf13/cobra"
 	"github.com/testifysec/witness/cmd/witness/options"
-	"github.com/testifysec/witness/pkg/cryptoutil"
 	"github.com/testifysec/witness/pkg/log"
-	"github.com/testifysec/witness/pkg/signer/file"
-	"github.com/testifysec/witness/pkg/signer/spiffe"
 )
 
 var (
@@ -67,31 +63,6 @@ func preRoot(cmd *cobra.Command, ro *options.RootOptions) {
 	}
 }
 
-func loadSigners(ctx context.Context, ko options.KeyOptions) ([]cryptoutil.Signer, []error) {
-	signers := []cryptoutil.Signer{}
-	errors := []error{}
-
-	if ko.SpiffePath != "" {
-		s, err := spiffe.Signer(ctx, ko.SpiffePath)
-		if err != nil {
-			errors = append(errors, fmt.Errorf("failed to create signer: %v", err))
-		} else {
-			signers = append(signers, s)
-		}
-	}
-
-	if ko.KeyPath != "" {
-		s, err := file.Signer(ctx, ko.KeyPath, ko.CertPath, ko.IntermediatePaths)
-		if err != nil {
-			errors = append(errors, fmt.Errorf("failed to create signer: %v", err))
-		} else {
-			signers = append(signers, s)
-		}
-	}
-
-	return signers, errors
-}
-
 func loadOutfile(outFilePath string) (*os.File, error) {
 	var err error
 	out := os.Stdout

diff --git a/cmd/witness/cmd/run.go b/cmd/witness/cmd/run.go
@@ -46,6 +46,7 @@ func RunCmd() *cobra.Command {
 
 func runRun(ro options.RunOptions, args []string) error {
 	ctx := context.Background()
+
 	signers, errors := loadSigners(ctx, ro.KeyOptions)
 	if len(errors) > 0 {
 		for _, err := range errors {

diff --git a/cmd/witness/cmd/sign.go b/cmd/witness/cmd/sign.go
@@ -47,6 +47,12 @@ func SignCmd() *cobra.Command {
 //we need to abstract where keys are coming from, etc
 func runSign(so options.SignOptions) error {
 	ctx := context.Background()
+
+	if so.KeyOptions.FulcioURL != "" {
+		err := fmt.Errorf("fulcio url is not supported for signing")
+		return err
+	}
+
 	signers, errors := loadSigners(ctx, so.KeyOptions)
 	if len(errors) > 0 {
 		for _, err := range errors {

diff --git a/cmd/witness/cmd/verify.go b/cmd/witness/cmd/verify.go
@@ -55,15 +55,24 @@ const (
 //todo: this logic should be broken out and moved to pkg/
 //we need to abstract where keys are coming from, etc
 func runVerify(vo options.VerifyOptions, args []string) error {
-	keyFile, err := os.Open(vo.KeyPath)
-	if err != nil {
-		return fmt.Errorf("failed to open key file: %v", err)
+	if vo.KeyPath == "" && len(vo.CAPaths) == 0 {
+		return fmt.Errorf("must suply public key or ca paths")
 	}
 
-	defer keyFile.Close()
-	verifier, err := cryptoutil.NewVerifierFromReader(keyFile)
-	if err != nil {
-		return fmt.Errorf("failed to load key: %v", err)
+	var verifier cryptoutil.Verifier
+
+	if vo.KeyPath != "" {
+		keyFile, err := os.Open(vo.KeyPath)
+		if err != nil {
+			return fmt.Errorf("failed to open key file: %w", err)
+		}
+		defer keyFile.Close()
+
+		verifier, err = cryptoutil.NewVerifierFromReader(keyFile)
+		if err != nil {
+			return fmt.Errorf("failed to create verifier: %w", err)
+		}
+
 	}
 
 	inFile, err := os.Open(vo.PolicyFilePath)