Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove cosign dependency #234

Open
miki725 opened this issue Mar 7, 2024 · 0 comments
Open

Remove cosign dependency #234

miki725 opened this issue Mar 7, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@miki725
Copy link
Contributor

miki725 commented Mar 7, 2024

currently chalk relies on cosign command for signing things. this is an external dependency which is outside of chalk control. ideally we should either use some library to achieve the same functionality or reimplement the core needs directly in nim

filing this ticket for tracking

currently there is some openssl code which is not compiled and its meant to be generating cosign keys:

in the cosign key material provider refactor will be removing it hence link here for future reference:

chalk/src/attestation.nim

Lines 34 to 98 in 4af0d69

when false:
## The below code imports keys generated via the OpenSSL PAI.
## I'd eventually like to not require downloading cosign
## to get the keys set up.
##
## I'm done w/ the OpenSSL part; the rest I'd have to wrap via
## secretbox.
const
importFlags = ["import-key-pair", "--key", "chalk.pem",
"--output-key-prefix=chalk"]
{.emit: """
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/bio.h>
char *
BIO_to_string(BIO *bio) {
char *tmp;
char *result;
size_t len;
len = BIO_get_mem_data(bio, &tmp);
result = (char *)calloc(len + 1, 1);
memcpy(result, tmp, len);
BIO_free(bio);
return result;
}
void
generate_keypair(char **s1, char **s2) {
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL);
BIO *pri = BIO_new(BIO_s_mem());
BIO *pub = BIO_new(BIO_s_mem());
EVP_PKEY_keygen_init(pctx);
EVP_PKEY_keygen(pctx, &pkey);
EVP_PKEY_CTX_free(pctx);
PEM_write_bio_PrivateKey(pri, pkey, NULL, NULL, 0, NULL, NULL);
PEM_write_bio_PUBKEY(pub, pkey);
char *x = BIO_to_string(pri);
char *y = BIO_to_string(pub);
*s1 = x;
*s2 = y;
}
""" .}
proc generateKeypair(pri: ptr cstring, pub: ptr cstring) {.importc:
"generate_keypair".}
proc generateKeyMaterial*(cosign: string) =
let
prikey: cstring
pubkey: cstring
generateKeypair(addr prikey, addr pubkey)
if not tryToWriteFile("chalk.pem", $(prikey)):
raise newException(OSError, "could not write private key to chalk.pem: " & getCurrentExceptionMsg())
discard execProcess(cosign, args = importFlags, options={})
## End of code that's not compiled in. Again, it does work, it's just
## not finished enough to replace what we already have.

@miki725 miki725 added the enhancement New feature or request label Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@miki725