feat!: add more robust policy constraints

Based off of in-toto ITE7 regarding PKI support for in-toto layouts. We wrote the code for in-toto-golang, so there's a lot of crossover. Adds support for constraining allowed x509 certificates by attributes on the certificate itself. Example use cases may be constraining on an expected SPIFFE ID or user's email to ensure that the identity for the certificate is who we trust as a functionary. BREAKING CHANGE: policies that used certificate constraints previously may now fail due to the additional constraints in this pull request. Since the unmarshal code will default these constraints to empty arrays, any certificate will fail the constraint unless their respective attributes are also empty. Signed-off-by: Mikhail Swift <[email protected]>
in-toto · Feb 24, 2022 · f5d2d2c · f5d2d2c
1 parent ace8194
commit f5d2d2c
Show file tree

Hide file tree

Showing 6 changed files with 684 additions and 20 deletions.
diff --git a/docs/policy.md b/docs/policy.md
@@ -77,8 +77,42 @@ Policies are JSON documents that are signed and wrapped in a DSSE envelope. The
 
 | Key | Type | Description |
 | --- | ---- | ----------- |
+| `commonname` | string | Common name that the certifiate's subject must have |
+| `dnsnames` | array of strings | DNS names that the certificate must have |
+| `emails` | array of strings | Email addresses that the certificate must have |
+| `organizations` | array of strings | Organizations that the certificate must have |
+| `uris` | array of strings | URIs that the certificate must have |
 | `roots` | array of strings | Array of Key IDs the signer's certificate must belong to to be trusted. |
 
+Every attribute of the certificate must match the attributes defined by the constraint exactly. A certificate must match
+at least one constraint to pass the policy. Wildcards are allowed if they are the only elemnt in the constraint.
+
+Example of a constraint that would allow any certificate, as long as it belongs to a root defined in the policy:
+
+```
+{
+  "commonname": "*",
+  "dnsnames": ["*"],
+  "emails": ["*"],
+  "organizations": ["*"],
+  "uris": ["*"],
+  "roots": ["*"]
+}
+```
+
+SPIFFE IDs are defined as URIs on the certificate, so a policy that would enforce a SPIFFE ID may look like:
+
+```
+{
+  "commonname": "*",
+  "dnsnames": ["*"],
+  "emails": ["*"],
+  "organizations": ["*"],
+  "uris": ["spiffe://example.com/step1"],
+  "roots": ["*"]
+}
+```
+
 ### `attestation` Object
 
 | Key | Type | Description |
@@ -112,8 +146,8 @@ deny[msg] {
 {
   "expires": "2022-12-17T23:57:40-05:00",
   "steps": {
-		"clone": {
-			"name": "clone",
+    "clone": {
+      "name": "clone",
       "attestations": [
         {
           "type": "https://witness.testifysec.com/attestations/material/v0.1",
@@ -134,10 +168,10 @@ deny[msg] {
           "publickeyid": "ae2dcc989ea9c109a36e8eba5c4bc16d8fafcfe8e1a614164670d50aedacd647"
         }
       ]
-		},
+    },
     "build": {
       "name": "build",
-			"artifactsFrom": ["clone"],
+      "artifactsFrom": ["clone"],
       "attestations": [
         {
           "type": "https://witness.testifysec.com/attestations/material/v0.1",
@@ -161,6 +195,17 @@ deny[msg] {
         {
           "type": "publickey",
           "publickeyid": "ae2dcc989ea9c109a36e8eba5c4bc16d8fafcfe8e1a614164670d50aedacd647"
+        },
+        {
+          "type": "root",
+          "certConstraint": {
+            "commonname": "*",
+            "dnsnames": ["*"],
+            "emails": ["*"],
+            "organizations": ["*"],
+            "uris": ["spiffe://example.com/step1"],
+            "roots": ["ae2dcc989ea9c109a36e8eba5c4bc16d8fafcfe8e1a614164670d50aedacd647"]
+          }
         }
       ]
     }
@@ -170,6 +215,11 @@ deny[msg] {
       "keyid": "ae2dcc989ea9c109a36e8eba5c4bc16d8fafcfe8e1a614164670d50aedacd647",
       "key": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUNvd0JRWURLMlZ3QXlFQWYyOW9QUDhVZ2hCeUc4NTJ1QmRPeHJKS0tuN01NNWhUYlA5ZXNnT1ovazA9Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo="
     }
+  },
+  "roots": {
+    "949aaab542a02514f27f41ed8e443bb54bbd9b062ca3ce1da2492170d8fffe98": {
+      "certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURhekNDQWxPZ0F3SUJBZ0lVSnlobzI5ckorTXZYdGhGZjRncnV3UWhUZVNNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TWpBeU1qTXlNalV4TkRoYUZ3MHlOekF5Ck1qSXlNalV4TkRoYU1FVXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3VnVnNVYlV1cHB6S3ArOUxyckxLeGFrc0JlVTRiei9lQ0w1ZXo0bEppClFhcm1vcVRDeWI0WlVqVTNTSCsxYVdLSU9aM2kyeUZmL0hYRktNemh5SHFWZnpzbDVJUEo5TzVTR0huK3FldnoKVzBTMVdQeEN4MS9KdlFoUFNaQ21adWhaMmI5NFVYdXhCL2tSWGRiNnhYdnVReVFPMDYybTQrTkZWYVhBWWZjTQprVUlBSnpQTUZUSHhKOUQ1dWdaMWlSV0VHUUQ1d2kwNS9ZRG5yZHR3N2J3V3ZkOW4yL3c1UHUvUU1iVHZ4NWxlCnNFK2U1ZWZZd1NZLzBvT2dWRHBHVG9TVStpeDMrYWVlVjFSL1IvNm81NlJ0LzQ5eG9KWjF5bCtyQ3ByOUswN3AKL0FOSk9HTE5oYlRXVGp1N1lTSUxtbnYreVJwRUdUTnptU1lpNEFFTStZYm5BZ01CQUFHalV6QlJNQjBHQTFVZApEZ1FXQkJRemppS2pzR1NZNjUvNTFlQVJINVpEdXFIOUtEQWZCZ05WSFNNRUdEQVdnQlF6amlLanNHU1k2NS81CjFlQVJINVpEdXFIOUtEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmgKUXhBNWExMUJ4VXh6Q1hObDg4ZUxkaDg5NlNudkdwYkNTZVhxQzJKS0w2QkxHVHg4NC9SZmMxNzVyZ2VUTW9YcQpEWjA1Nm9xc1FPZ2czWVRXWEJDMTJJbmVnUW40Wm90L2cydWk3cTJOZ0NZNWNSSG9qZnhQd2JxbS9uU2k1eXNSClFCQTZuMUJ3cUlZclBpVVBvcE9YY1BIQVJ4SEwzUitIOHRpWCtyM1hRM3FZdnNuTUpOL3JlcGJOQjJKVi9TL28KT0llT1U5Y1RJRnRHNWNNd2RHcTdMeVlkK095NkRiNjN5aDNkNS82bEZOVElqdlZXaHhzS280U3dxZlhuOXY4TApia2xTOFB0Mm12MVMxa2thZGhMT1FqaGlBQ1N2UHB6OW5USXdXWTJUYTcvNGpFR0I3ZTF3aU8wZ0dhbFJhVXQyClpmYmt3eXFSQWxXUXNBcDJqZS8wCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+    }
   }
 }
 ```

diff --git a/pkg/policy/constraints.go b/pkg/policy/constraints.go
@@ -0,0 +1,138 @@
+// Copyright 2022 The Witness Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package policy
+
+import (
+	"fmt"
+	"net/url"
+
+	"github.com/testifysec/witness/pkg/cryptoutil"
+)
+
+const (
+	AllowAllConstraint = "*"
+)
+
+type CertConstraint struct {
+	CommonName    string   `json:"commonname"`
+	DNSNames      []string `json:"dnsnames"`
+	Emails        []string `json:"emails"`
+	Organizations []string `json:"organizations"`
+	URIs          []string `json:"uris"`
+	Roots         []string `json:"roots"`
+}
+
+func (cc CertConstraint) Check(verifier *cryptoutil.X509Verifier, trustBundles map[string]TrustBundle) error {
+	errs := make([]error, 0)
+	cert := verifier.Certificate()
+
+	if err := checkCertConstraint("common name", []string{cc.CommonName}, []string{cert.Subject.CommonName}); err != nil {
+		errs = append(errs, err)
+	}
+
+	if err := checkCertConstraint("dns name", cc.DNSNames, cert.DNSNames); err != nil {
+		errs = append(errs, err)
+	}
+
+	if err := checkCertConstraint("email", cc.Emails, cert.EmailAddresses); err != nil {
+		errs = append(errs, err)
+	}
+
+	if err := checkCertConstraint("organization", cc.Organizations, cert.Subject.Organization); err != nil {
+		errs = append(errs, err)
+	}
+
+	if err := checkCertConstraint("uri", cc.URIs, urisToStrings(cert.URIs)); err != nil {
+		errs = append(errs, err)
+	}
+
+	if err := cc.checkTrustBundles(verifier, trustBundles); err != nil {
+		errs = append(errs, err)
+	}
+
+	if len(errs) > 0 {
+		return ErrConstraintCheckFailed{errs}
+	}
+
+	return nil
+}
+
+func (cc CertConstraint) checkTrustBundles(verifier *cryptoutil.X509Verifier, trustBundles map[string]TrustBundle) error {
+	if len(cc.Roots) == 1 && cc.Roots[0] == AllowAllConstraint {
+		for _, bundle := range trustBundles {
+			if err := verifier.BelongsToRoot(bundle.Root); err == nil {
+				return nil
+			}
+		}
+	} else {
+		for _, rootID := range cc.Roots {
+			if bundle, ok := trustBundles[rootID]; ok {
+				if err := verifier.BelongsToRoot(bundle.Root); err == nil {
+					return nil
+				}
+			}
+		}
+	}
+
+	return fmt.Errorf("cert doesn't belong to any root specified by constraint %+q", cc.Roots)
+}
+
+func urisToStrings(uris []*url.URL) []string {
+	res := make([]string, 0)
+	for _, uri := range uris {
+		res = append(res, uri.String())
+	}
+
+	return res
+}
+
+func checkCertConstraint(attribute string, constraints, values []string) error {
+	// If our only constraint is the AllowAllConstraint it's a pass
+	if len(constraints) == 1 && constraints[0] == AllowAllConstraint {
+		return nil
+	}
+
+	// treat a single empty string the same as a constraint on an empty attribute
+	if len(constraints) == 1 && constraints[0] == "" {
+		constraints = []string{}
+	}
+
+	if len(values) == 1 && values[0] == "" {
+		values = []string{}
+	}
+
+	if len(constraints) == 0 && len(values) > 0 {
+		return fmt.Errorf("not expecting any %s(s), but cert has %d %s(s)", attribute, len(values), attribute)
+	}
+
+	unmet := make(map[string]struct{})
+	for _, constraint := range constraints {
+		unmet[constraint] = struct{}{}
+	}
+
+	for _, value := range values {
+		if _, ok := unmet[value]; !ok {
+			return fmt.Errorf("cert has an unexpected %s %s given constraints %+q", attribute, value, constraints)
+		}
+
+		delete(unmet, value)
+	}
+
+	if len(unmet) > 0 {
+		return fmt.Errorf("cert with %s(s) %+qDid not pass all constraints %+q", attribute, values, constraints)
+	}
+
+	return nil
+}