Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: KMS verifier flags don't get passed to the policy verifier #427

Closed
ChaosInTheCRD opened this issue Apr 4, 2024 · 1 comment · Fixed by in-toto/go-witness#292 · May be fixed by #475
Closed

[Bug]: KMS verifier flags don't get passed to the policy verifier #427

ChaosInTheCRD opened this issue Apr 4, 2024 · 1 comment · Fixed by in-toto/go-witness#292 · May be fixed by #475
Labels
bug Something isn't working

Comments

@ChaosInTheCRD
Copy link
Collaborator

At this current moment, KMS verifier flags only apply to the KMS key reference that you supply for verifying the policy signature. When the policy is then read by Witness and used to verify attestation signatures found against the relevant subjects, these flags are ignored. This needs to be fixed as it leads to a confusing experience for the user.
@ChaosInTheCRD ChaosInTheCRD added the bug Something isn't working label Apr 4, 2024
@ChaosInTheCRD
Copy link
Collaborator Author

To give an example, let's say I want to utilise insecureSkipVerify when connecting to the AWS KMS API:

witness verify --verifier-kms-ref=awskms:///arn:aws:kms:us-east-1:... --verifier-kms-aws-remote-verify=true --policy=./policy-signed.json

In this scenario, policy-signed.json will have its dsse envelope verified using remote kms verification against the KMS key awskms:///arn:aws:kms:us-east-1:... and with insecureSkipVerify=true in the TLS config as one would expect.

However, let's say that the contents of the policy dsse envelope looks something like:

      "name": "test",
      "attestations": [
        {
          "type": "https://witness.dev/attestations/command-run/v0.1",
          ...
      ],
      "functionaries": [
        {
          "type": "publickey",
          "publickeyid": "awskms:///arn:aws:kms:us-east-2:..."
        }
      ]
    }
  },
  "publickeys": {
    "awskms:///arn:aws:kms:us-east-2:...": {
      "keyid": "awskms:///arn:aws:kms:us-east-2:..."
    }
  }
}

in the functionaries field, there is one functionary that is expected to have signed any Witness collections from the test step.

During the policy verification flow, Witness will (naturally) make another network call to remotely verify the signature of any witness collection found for this step against the KMS key defined for the functionary (awskms:///arn:aws:kms:us-east-2:...). In this scenario, insecureSkipVerify=true will not be inherited from the --verifier-kms-aws-remote-verify=true flag call from the CLI.

This needs to be fixed so that any configuration of the KMS verifier set by CLI flags is inherited when verifying attestation signatures during the policy verification flow.

One way to work around this issue for now is to define the public key in a base64 encoded form in your policy (this is outlined in the documentation). This will also mean that any verifier of the policy will not need to be able to access the KMS key API endpoint, which could even be more optimal for certain users.

This was referenced Jun 24, 2024
Merged
Draft
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
1 participant
@ChaosInTheCRD