Skip to content

Commit f875aa2

Browse files
haydentherapperbobcallaway
haydentherapper
and
bobcallaway
authored
Support per-shard signing keys (#2330)
* Support per-shard signing keys This change enables key rotation with a per-shard signing key configuration. The LogRanges structure now holds both active and inactive shards, with the LogRange structure containing a signer, encoded public key and log ID based on the public key. This change is backwards compatible. If no signing configuration is specified, the active shard signing configuration is used for all shards. Minor change: Standardized log ID vs tree ID, where the former is the pubkey hash and the latter is the ID for the Trillian tree. Signed-off-by: Hayden Blauzvern <[email protected]> * resolve codeql, remove key password from string Signed-off-by: Hayden Blauzvern <[email protected]> * Update rekor-cli to pass tree ID for verification Signed-off-by: Hayden Blauzvern <[email protected]> * Fix range printing Signed-off-by: Hayden Blauzvern <[email protected]> * suppress codeql Signed-off-by: Hayden Blauzvern <[email protected]> * remove lgtm, it does nothing Signed-off-by: Hayden Blauzvern <[email protected]> * address comments Signed-off-by: Hayden Blauzvern <[email protected]> * Apply suggestions from code review Co-authored-by: Bob Callaway <[email protected]> Signed-off-by: Hayden B <[email protected]> --------- Signed-off-by: Hayden Blauzvern <[email protected]> Signed-off-by: Hayden B <[email protected]> Co-authored-by: Bob Callaway <[email protected]>
1 parent 88b5ce5 commit f875aa2

16 files changed

+510
-193
lines changed

cmd/rekor-cli/app/get.go

+19-5
Original file line numberDiff line numberDiff line change
@@ -92,11 +92,6 @@ var getCmd = &cobra.Command{
9292
if logIndex == "" && uuid == "" {
9393
return nil, errors.New("either --uuid or --log-index must be specified")
9494
}
95-
// retrieve rekor pubkey for verification
96-
verifier, err := loadVerifier(rekorClient)
97-
if err != nil {
98-
return nil, fmt.Errorf("retrieving rekor public key")
99-
}
10095

10196
if logIndex != "" {
10297
params := entries.NewGetLogEntryByIndexParams()
@@ -113,6 +108,15 @@ var getCmd = &cobra.Command{
113108
}
114109
var e models.LogEntryAnon
115110
for ix, entry := range resp.Payload {
111+
// retrieve rekor pubkey for verification
112+
treeID, err := sharding.TreeID(ix)
113+
if err != nil {
114+
return nil, err
115+
}
116+
verifier, err := loadVerifier(rekorClient, strconv.FormatInt(treeID, 10))
117+
if err != nil {
118+
return nil, fmt.Errorf("retrieving rekor public key: %w", err)
119+
}
116120
// verify log entry
117121
e = entry
118122
if err := verify.VerifyLogEntry(ctx, &e, verifier); err != nil {
@@ -143,6 +147,16 @@ var getCmd = &cobra.Command{
143147

144148
var e models.LogEntryAnon
145149
for k, entry := range resp.Payload {
150+
// retrieve rekor pubkey for verification
151+
treeID, err := sharding.TreeID(k)
152+
if err != nil {
153+
return nil, err
154+
}
155+
verifier, err := loadVerifier(rekorClient, strconv.FormatInt(treeID, 10))
156+
if err != nil {
157+
return nil, fmt.Errorf("retrieving rekor public key: %w", err)
158+
}
159+
146160
if err := compareEntryUUIDs(params.EntryUUID, k); err != nil {
147161
return nil, err
148162
}

cmd/rekor-cli/app/log_info.go

+4-3
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@ import (
3434
"github.com/sigstore/rekor/cmd/rekor-cli/app/format"
3535
"github.com/sigstore/rekor/cmd/rekor-cli/app/state"
3636
"github.com/sigstore/rekor/pkg/client"
37+
"github.com/sigstore/rekor/pkg/generated/client/pubkey"
3738
"github.com/sigstore/rekor/pkg/generated/client/tlog"
3839
"github.com/sigstore/rekor/pkg/log"
3940
"github.com/sigstore/rekor/pkg/util"
@@ -131,7 +132,7 @@ func verifyTree(ctx context.Context, rekorClient *rclient.Rekor, signedTreeHead,
131132
if err := sth.UnmarshalText([]byte(signedTreeHead)); err != nil {
132133
return err
133134
}
134-
verifier, err := loadVerifier(rekorClient)
135+
verifier, err := loadVerifier(rekorClient, treeID)
135136
if err != nil {
136137
return err
137138
}
@@ -160,11 +161,11 @@ func verifyTree(ctx context.Context, rekorClient *rclient.Rekor, signedTreeHead,
160161
return nil
161162
}
162163

163-
func loadVerifier(rekorClient *rclient.Rekor) (signature.Verifier, error) {
164+
func loadVerifier(rekorClient *rclient.Rekor, treeID string) (signature.Verifier, error) {
164165
publicKey := viper.GetString("rekor_server_public_key")
165166
if publicKey == "" {
166167
// fetch key from server
167-
keyResp, err := rekorClient.Pubkey.GetPublicKey(nil)
168+
keyResp, err := rekorClient.Pubkey.GetPublicKey(pubkey.NewGetPublicKeyParams().WithTreeID(swag.String(treeID)))
168169
if err != nil {
169170
return nil, err
170171
}

cmd/rekor-cli/app/upload.go

+11-2
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ import (
2323
"net/url"
2424
"os"
2525
"path/filepath"
26+
"strconv"
2627

2728
"github.com/go-openapi/runtime"
2829
"github.com/go-openapi/swag"
@@ -35,6 +36,7 @@ import (
3536
"github.com/sigstore/rekor/pkg/generated/client/entries"
3637
"github.com/sigstore/rekor/pkg/generated/models"
3738
"github.com/sigstore/rekor/pkg/log"
39+
"github.com/sigstore/rekor/pkg/sharding"
3840
"github.com/sigstore/rekor/pkg/types"
3941
"github.com/sigstore/rekor/pkg/verify"
4042
)
@@ -122,13 +124,20 @@ var uploadCmd = &cobra.Command{
122124

123125
var newIndex int64
124126
var logEntry models.LogEntryAnon
125-
for _, entry := range resp.Payload {
127+
var uuid string
128+
for k, entry := range resp.Payload {
129+
uuid = k
126130
newIndex = swag.Int64Value(entry.LogIndex)
127131
logEntry = entry
128132
}
129133

134+
treeID, err := sharding.TreeID(uuid)
135+
if err != nil {
136+
return nil, err
137+
}
138+
130139
// verify log entry
131-
verifier, err := loadVerifier(rekorClient)
140+
verifier, err := loadVerifier(rekorClient, strconv.FormatInt(treeID, 10))
132141
if err != nil {
133142
return nil, fmt.Errorf("retrieving rekor public key")
134143
}

cmd/rekor-cli/app/verify.go

+6-1
Original file line numberDiff line numberDiff line change
@@ -165,9 +165,14 @@ var verifyCmd = &cobra.Command{
165165
}
166166
}
167167

168+
treeID, err := sharding.TreeID(o.EntryUUID)
169+
if err != nil {
170+
return nil, err
171+
}
172+
168173
// Get Rekor Pub
169174
// TODO(asraa): Replace with sigstore's GetRekorPubs to use TUF.
170-
verifier, err := loadVerifier(rekorClient)
175+
verifier, err := loadVerifier(rekorClient, strconv.FormatInt(treeID, 10))
171176
if err != nil {
172177
return nil, err
173178
}

pkg/api/api.go

+14-41
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,8 @@ package api
1717

1818
import (
1919
"context"
20-
"crypto/sha256"
2120
"crypto/tls"
2221
"crypto/x509"
23-
"encoding/hex"
2422
"fmt"
2523
"os"
2624
"path/filepath"
@@ -42,9 +40,6 @@ import (
4240
"github.com/sigstore/rekor/pkg/storage"
4341
"github.com/sigstore/rekor/pkg/trillianclient"
4442
"github.com/sigstore/rekor/pkg/witness"
45-
"github.com/sigstore/sigstore/pkg/cryptoutils"
46-
"github.com/sigstore/sigstore/pkg/signature"
47-
"github.com/sigstore/sigstore/pkg/signature/options"
4843

4944
_ "github.com/sigstore/rekor/pkg/pubsub/gcp" // Load GCP pubsub implementation
5045
)
@@ -92,12 +87,9 @@ func dial(rpcServer string) (*grpc.ClientConn, error) {
9287
}
9388

9489
type API struct {
95-
logClient trillian.TrillianLogClient
96-
logID int64
97-
logRanges sharding.LogRanges
98-
pubkey string // PEM encoded public key
99-
pubkeyHash string // SHA256 hash of DER-encoded public key
100-
signer signature.Signer
90+
logClient trillian.TrillianLogClient
91+
treeID int64
92+
logRanges sharding.LogRanges
10193
// stops checkpoint publishing
10294
checkpointPublishCancel context.CancelFunc
10395
// Publishes notifications when new entries are added to the log. May be
@@ -117,12 +109,6 @@ func NewAPI(treeID uint) (*API, error) {
117109
logAdminClient := trillian.NewTrillianAdminClient(tConn)
118110
logClient := trillian.NewTrillianLogClient(tConn)
119111

120-
shardingConfig := viper.GetString("trillian_log_server.sharding_config")
121-
ranges, err := sharding.NewLogRanges(ctx, logClient, shardingConfig, treeID)
122-
if err != nil {
123-
return nil, fmt.Errorf("unable get sharding details from sharding config: %w", err)
124-
}
125-
126112
tid := int64(treeID)
127113
if tid == 0 {
128114
log.Logger.Info("No tree ID specified, attempting to create a new tree")
@@ -133,27 +119,18 @@ func NewAPI(treeID uint) (*API, error) {
133119
tid = t.TreeId
134120
}
135121
log.Logger.Infof("Starting Rekor server with active tree %v", tid)
136-
ranges.SetActive(tid)
137122

138-
rekorSigner, err := signer.New(ctx, viper.GetString("rekor_server.signer"),
139-
viper.GetString("rekor_server.signer-passwd"),
140-
viper.GetString("rekor_server.tink_kek_uri"),
141-
viper.GetString("rekor_server.tink_keyset_path"),
142-
)
143-
if err != nil {
144-
return nil, fmt.Errorf("getting new signer: %w", err)
145-
}
146-
pk, err := rekorSigner.PublicKey(options.WithContext(ctx))
147-
if err != nil {
148-
return nil, fmt.Errorf("getting public key: %w", err)
123+
shardingConfig := viper.GetString("trillian_log_server.sharding_config")
124+
signingConfig := signer.SigningConfig{
125+
SigningSchemeOrKeyPath: viper.GetString("rekor_server.signer"),
126+
FileSignerPassword: viper.GetString("rekor_server.signer-passwd"),
127+
TinkKEKURI: viper.GetString("rekor_server.tink_kek_uri"),
128+
TinkKeysetPath: viper.GetString("rekor_server.tink_keyset_path"),
149129
}
150-
b, err := x509.MarshalPKIXPublicKey(pk)
130+
ranges, err := sharding.NewLogRanges(ctx, logClient, shardingConfig, tid, signingConfig)
151131
if err != nil {
152-
return nil, fmt.Errorf("marshalling public key: %w", err)
132+
return nil, fmt.Errorf("unable get sharding details from sharding config: %w", err)
153133
}
154-
pubkeyHashBytes := sha256.Sum256(b)
155-
156-
pubkey := cryptoutils.PEMEncode(cryptoutils.PublicKeyPEMType, b)
157134

158135
var newEntryPublisher pubsub.Publisher
159136
if p := viper.GetString("rekor_server.new_entry_publisher"); p != "" {
@@ -170,12 +147,8 @@ func NewAPI(treeID uint) (*API, error) {
170147
return &API{
171148
// Transparency Log Stuff
172149
logClient: logClient,
173-
logID: tid,
150+
treeID: tid,
174151
logRanges: ranges,
175-
// Signing/verifying fields
176-
pubkey: string(pubkey),
177-
pubkeyHash: hex.EncodeToString(pubkeyHashBytes[:]),
178-
signer: rekorSigner,
179152
// Utility functionality not required for operation of the core service
180153
newEntryPublisher: newEntryPublisher,
181154
}, nil
@@ -212,8 +185,8 @@ func ConfigureAPI(treeID uint) {
212185

213186
if viper.GetBool("enable_stable_checkpoint") {
214187
redisClient = NewRedisClient()
215-
checkpointPublisher := witness.NewCheckpointPublisher(context.Background(), api.logClient, api.logRanges.ActiveTreeID(),
216-
viper.GetString("rekor_server.hostname"), api.signer, redisClient, viper.GetUint("publish_frequency"), CheckpointPublishCount)
188+
checkpointPublisher := witness.NewCheckpointPublisher(context.Background(), api.logClient, api.logRanges.GetActive().TreeID,
189+
viper.GetString("rekor_server.hostname"), api.logRanges.GetActive().Signer, redisClient, viper.GetUint("publish_frequency"), CheckpointPublishCount)
217190

218191
// create context to cancel goroutine on server shutdown
219192
ctx, cancel := context.WithCancel(context.Background())

pkg/api/entries.go

+20-15
Original file line numberDiff line numberDiff line change
@@ -74,7 +74,7 @@ func signEntry(ctx context.Context, signer signature.Signer, entry models.LogEnt
7474
}
7575

7676
// logEntryFromLeaf creates a signed LogEntry struct from trillian structs
77-
func logEntryFromLeaf(ctx context.Context, signer signature.Signer, _ trillianclient.TrillianClient, leaf *trillian.LogLeaf,
77+
func logEntryFromLeaf(ctx context.Context, _ trillianclient.TrillianClient, leaf *trillian.LogLeaf,
7878
signedLogRoot *trillian.SignedLogRoot, proof *trillian.Proof, tid int64, ranges sharding.LogRanges) (models.LogEntry, error) {
7979

8080
log.ContextLogger(ctx).Debugf("log entry from leaf %d", leaf.GetLeafIndex())
@@ -88,19 +88,24 @@ func logEntryFromLeaf(ctx context.Context, signer signature.Signer, _ trilliancl
8888
}
8989

9090
virtualIndex := sharding.VirtualLogIndex(leaf.GetLeafIndex(), tid, ranges)
91+
logRange, err := ranges.GetLogRangeByTreeID(tid)
92+
if err != nil {
93+
return nil, err
94+
}
95+
9196
logEntryAnon := models.LogEntryAnon{
92-
LogID: swag.String(api.pubkeyHash),
97+
LogID: swag.String(logRange.LogID),
9398
LogIndex: &virtualIndex,
9499
Body: leaf.LeafValue,
95100
IntegratedTime: swag.Int64(leaf.IntegrateTimestamp.AsTime().Unix()),
96101
}
97102

98-
signature, err := signEntry(ctx, signer, logEntryAnon)
103+
signature, err := signEntry(ctx, logRange.Signer, logEntryAnon)
99104
if err != nil {
100105
return nil, fmt.Errorf("signing entry error: %w", err)
101106
}
102107

103-
scBytes, err := util.CreateAndSignCheckpoint(ctx, viper.GetString("rekor_server.hostname"), tid, root.TreeSize, root.RootHash, api.signer)
108+
scBytes, err := util.CreateAndSignCheckpoint(ctx, viper.GetString("rekor_server.hostname"), tid, root.TreeSize, root.RootHash, logRange.Signer)
104109
if err != nil {
105110
return nil, err
106111
}
@@ -194,7 +199,7 @@ func createLogEntry(params entries.CreateLogEntryParams) (models.LogEntry, middl
194199
return nil, handleRekorAPIError(params, http.StatusInternalServerError, err, failedToGenerateCanonicalEntry)
195200
}
196201

197-
tc := trillianclient.NewTrillianClient(ctx, api.logClient, api.logID)
202+
tc := trillianclient.NewTrillianClient(ctx, api.logClient, api.treeID)
198203

199204
resp := tc.AddLeaf(leaf)
200205
// this represents overall GRPC response state (not the results of insertion into the log)
@@ -209,7 +214,7 @@ func createLogEntry(params entries.CreateLogEntryParams) (models.LogEntry, middl
209214
case int32(code.Code_OK):
210215
case int32(code.Code_ALREADY_EXISTS), int32(code.Code_FAILED_PRECONDITION):
211216
existingUUID := hex.EncodeToString(rfc6962.DefaultHasher.HashLeaf(leaf))
212-
activeTree := fmt.Sprintf("%x", api.logID)
217+
activeTree := fmt.Sprintf("%x", api.treeID)
213218
entryIDstruct, err := sharding.CreateEntryIDFromParts(activeTree, existingUUID)
214219
if err != nil {
215220
err := fmt.Errorf("error creating EntryID from active treeID %v and uuid %v: %w", activeTree, existingUUID, err)
@@ -230,7 +235,7 @@ func createLogEntry(params entries.CreateLogEntryParams) (models.LogEntry, middl
230235
queuedLeaf := resp.GetAddResult.QueuedLeaf.Leaf
231236

232237
uuid := hex.EncodeToString(queuedLeaf.GetMerkleLeafHash())
233-
activeTree := fmt.Sprintf("%x", api.logID)
238+
activeTree := fmt.Sprintf("%x", api.treeID)
234239
entryIDstruct, err := sharding.CreateEntryIDFromParts(activeTree, uuid)
235240
if err != nil {
236241
err := fmt.Errorf("error creating EntryID from active treeID %v and uuid %v: %w", activeTree, uuid, err)
@@ -239,9 +244,9 @@ func createLogEntry(params entries.CreateLogEntryParams) (models.LogEntry, middl
239244
entryID := entryIDstruct.ReturnEntryIDString()
240245

241246
// The log index should be the virtual log index across all shards
242-
virtualIndex := sharding.VirtualLogIndex(queuedLeaf.LeafIndex, api.logRanges.ActiveTreeID(), api.logRanges)
247+
virtualIndex := sharding.VirtualLogIndex(queuedLeaf.LeafIndex, api.logRanges.GetActive().TreeID, api.logRanges)
243248
logEntryAnon := models.LogEntryAnon{
244-
LogID: swag.String(api.pubkeyHash),
249+
LogID: swag.String(api.logRanges.GetActive().LogID),
245250
LogIndex: swag.Int64(virtualIndex),
246251
Body: queuedLeaf.GetLeafValue(),
247252
IntegratedTime: swag.Int64(queuedLeaf.IntegrateTimestamp.AsTime().Unix()),
@@ -286,7 +291,7 @@ func createLogEntry(params entries.CreateLogEntryParams) (models.LogEntry, middl
286291
}
287292
}
288293

289-
signature, err := signEntry(ctx, api.signer, logEntryAnon)
294+
signature, err := signEntry(ctx, api.logRanges.GetActive().Signer, logEntryAnon)
290295
if err != nil {
291296
return nil, handleRekorAPIError(params, http.StatusInternalServerError, fmt.Errorf("signing entry error: %w", err), signingError)
292297
}
@@ -300,7 +305,7 @@ func createLogEntry(params entries.CreateLogEntryParams) (models.LogEntry, middl
300305
hashes = append(hashes, hex.EncodeToString(hash))
301306
}
302307

303-
scBytes, err := util.CreateAndSignCheckpoint(ctx, viper.GetString("rekor_server.hostname"), api.logID, root.TreeSize, root.RootHash, api.signer)
308+
scBytes, err := util.CreateAndSignCheckpoint(ctx, viper.GetString("rekor_server.hostname"), api.treeID, root.TreeSize, root.RootHash, api.logRanges.GetActive().Signer)
304309
if err != nil {
305310
return nil, handleRekorAPIError(params, http.StatusInternalServerError, err, sthGenerateError)
306311
}
@@ -511,7 +516,7 @@ func SearchLogQueryHandler(params entries.SearchLogQueryParams) middleware.Respo
511516
continue
512517
}
513518
tcs := trillianclient.NewTrillianClient(httpReqCtx, api.logClient, shard)
514-
logEntry, err := logEntryFromLeaf(httpReqCtx, api.signer, tcs, leafResp.Leaf, leafResp.SignedLogRoot, leafResp.Proof, shard, api.logRanges)
519+
logEntry, err := logEntryFromLeaf(httpReqCtx, tcs, leafResp.Leaf, leafResp.SignedLogRoot, leafResp.Proof, shard, api.logRanges)
515520
if err != nil {
516521
return handleRekorAPIError(params, http.StatusInternalServerError, err, err.Error())
517522
}
@@ -558,7 +563,7 @@ func retrieveLogEntryByIndex(ctx context.Context, logIndex int) (models.LogEntry
558563
return models.LogEntry{}, ErrNotFound
559564
}
560565

561-
return logEntryFromLeaf(ctx, api.signer, tc, leaf, result.SignedLogRoot, result.Proof, tid, api.logRanges)
566+
return logEntryFromLeaf(ctx, tc, leaf, result.SignedLogRoot, result.Proof, tid, api.logRanges)
562567
}
563568

564569
// Retrieve a Log Entry
@@ -580,7 +585,7 @@ func retrieveLogEntry(ctx context.Context, entryUUID string) (models.LogEntry, e
580585

581586
// If we got a UUID instead of an EntryID, search all shards
582587
if errors.Is(err, sharding.ErrPlainUUID) {
583-
trees := []sharding.LogRange{{TreeID: api.logRanges.ActiveTreeID()}}
588+
trees := []sharding.LogRange{api.logRanges.GetActive()}
584589
trees = append(trees, api.logRanges.GetInactive()...)
585590

586591
for _, t := range trees {
@@ -623,7 +628,7 @@ func retrieveUUIDFromTree(ctx context.Context, uuid string, tid int64) (models.L
623628
return models.LogEntry{}, err
624629
}
625630

626-
logEntry, err := logEntryFromLeaf(ctx, api.signer, tc, result.Leaf, result.SignedLogRoot, result.Proof, tid, api.logRanges)
631+
logEntry, err := logEntryFromLeaf(ctx, tc, result.Leaf, result.SignedLogRoot, result.Proof, tid, api.logRanges)
627632
if err != nil {
628633
return models.LogEntry{}, fmt.Errorf("could not create log entry from leaf: %w", err)
629634
}

pkg/api/public_key.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ import (
2727

2828
func GetPublicKeyHandler(params pubkey.GetPublicKeyParams) middleware.Responder {
2929
treeID := swag.StringValue(params.TreeID)
30-
pk, err := api.logRanges.PublicKey(api.pubkey, treeID)
30+
pk, err := api.logRanges.PublicKey(treeID)
3131
if err != nil {
3232
return handleRekorAPIError(params, http.StatusBadRequest, err, "")
3333
}

0 commit comments

Comments
 (0)