Skip to content

feat(verification): get trusted root material and allow rotation #1807

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Feb 12, 2025
Merged

feat(verification): get trusted root material and allow rotation #1807

merged 15 commits into from
Feb 12, 2025

Conversation

jiparis
Copy link
Member

@jiparis jiparis commented Feb 11, 2025
edited
Loading

This PR adds an endpoint to get the root material from the configured certificate authorities:

  • Adds the possibility to have one signing authority and multiple previous CAs, useful for certificate rotation.
  • Adds an endpoint (private) to get all root certificate (and chains) from the configured CAs
  • Implemented for FileCA and EJBCA.
> buf curl --http2-prior-knowledge --protocol grpc  -H "Authorization: Bearer $CHAINLOOP_TOKEN" http://localhost:9000/controlplane.v1.SigningService/GetTrustedRoot
{
  "keys": {
    "2a522d9652e0933d2a1237c395bc116e012f86dffff13122da59f76e0d2abe27": {
      "certificates": [
        "-----BEGIN CERTIFICATE-----\nMI... ==\n-----END CERTIFICATE-----\n"
      ]
    },
    "e6b4419565f9ccab5c68d7a99d96722931d2d9a7d920c938fae46c45e25989d2": {
      "certificates": [
        "-----BEGIN CERTIFICATE-----\n... Q==\n-----END CERTIFICATE-----\n"
      ]
    }
  }
}

Chart changes:

✗ diff before.yaml after.yaml
445c445
<   generated_jws_hmac_secret: "THVVd1dBOFRrbw=="
---
>   generated_jws_hmac_secret: "R1NoTllaMkFsdQ=="
449,453c449,454
<     certificate_authority:
<       file_ca:
<         cert_path: "/ca_secrets/file_ca.cert"
<         key_path:  "/ca_secrets/file_ca.key"
<         key_pass: "foo"
---
>     certificate_authorities:
>       - issuer: true
>         file_ca:
>           cert_path: "/ca_secrets/file_ca.cert"
>           key_path:  "/ca_secrets/file_ca.key"
>           key_pass: "foo"
476c477
<       generated_jws_hmac_secret: "LuUwWA8Tko"
---
>       generated_jws_hmac_secret: "GShNYZ2Alu"
1613c1614
<         checksum/secret-config: 5befa75f8e0d765e8585f890d75547ca0c39eac815b31961619026e70b87ffd4
---
>         checksum/secret-config: fbe01695cfacff3e8e5a3954bffbae73d6b15a6452ea5c6bbd3ee39feedc35c2

Note that chart configuration doesn't support multiple CAs yet.

@jiparis
support multiple CAs
6faa654 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
add service interface
c6a1c03 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
implement service
b1073f7 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis requested review from javirln and migmartri February 11, 2025 17:54
@jiparis
lint
2d1194c 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis marked this pull request as draft February 11, 2025 18:09
@jiparis
comment config change
74d06f8 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
chart compatibility
90ef32c 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis marked this pull request as ready for review February 11, 2025 19:32
@jiparis
update docs and examples
4b66447 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
migmartri
migmartri reviewed Feb 11, 2025
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jiparis

@jiparis
configure permissions
22c6f31 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
validate issuer
3a72d6c 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
jiparis
jiparis commented Feb 11, 2025
View reviewed changes
app/controlplane/internal/server/grpc.go

func requireRobotAccountMatcher() selector.MatchFunc {
const requireMatcher = "controlplane.v1.AttestationService/.*|controlplane.v1.AttestationStateService/.*|controlplane.v1.SigningService/.*"
const requireMatcher = "controlplane.v1.AttestationService/.*|controlplane.v1.AttestationStateService/.*|controlplane.v1.SigningService/GenerateSigningCert"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is needed, since the new endpoint should be available for workflow run describe. This setting will make it public, but we might want to move it to its own service.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fine since it can enable offline verification

@jiparis
fix tests
499d14b 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
validate only one issuer CA
41e4d2d 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
add issuer: true
6493981 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
Merge branch 'main' into PFM-2282-roots
7080aa1
migmartri
migmartri approved these changes Feb 12, 2025
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jiparis

app/controlplane/internal/server/grpc.go

func requireRobotAccountMatcher() selector.MatchFunc {
const requireMatcher = "controlplane.v1.AttestationService/.*|controlplane.v1.AttestationStateService/.*|controlplane.v1.SigningService/.*"
const requireMatcher = "controlplane.v1.AttestationService/.*|controlplane.v1.AttestationStateService/.*|controlplane.v1.SigningService/GenerateSigningCert"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fine since it can enable offline verification

deployment/chainloop/templates/controlplane/secret-config.yaml
certificate_profile_name: "{{- required "EJBCA certificate profile name is mandatory" .certProfileName }}"
end_entity_profile_name: "{{- required "EJBCA end entity profile name is mandatory" .endEntityProfileName }}"
certificate_authority_name: "{{- required "EJBCA certificate authority name is mandatory" .caName }}"
certificate_authorities:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we add the issuer option in the values.yaml file too? Or should we do it later on to support multiple CASs?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I didn't want to disrupt current values.yaml. I would add it when we support multiple CAs.

@jiparis
return not initialized error
30a32b8 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
add comment
43dd033 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis merged commit 54748d2 into chainloop-dev:main Feb 12, 2025
14 checks passed
@jiparis jiparis deleted the PFM-2282-roots branch February 12, 2025 09:06
@BrewTestBot BrewTestBot mentioned this pull request Feb 12, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri approved these changes

@javirln javirln javirln approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jiparis @migmartri @javirln