From 4903305daf3dda829b3d861ecbf18b0a2d7853e1 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Tue, 23 Jul 2024 15:21:12 +0200 Subject: [PATCH 1/2] Add TLS support for Trillian server Signed-off-by: Firas Ghanmi --- cmd/rekor-server/app/root.go | 2 ++ pkg/api/api.go | 31 ++++++++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/cmd/rekor-server/app/root.go b/cmd/rekor-server/app/root.go index cebc28d2a..571f8c122 100644 --- a/cmd/rekor-server/app/root.go +++ b/cmd/rekor-server/app/root.go @@ -117,6 +117,8 @@ Memory and file-based signers should only be used for testing.`) rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password") rootCmd.PersistentFlags().Bool("redis_server.enable-tls", false, "Whether to enable TLS verification when connecting to Redis endpoint") rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification when connecting to Redis endpoint, only applicable when 'redis_server.enable-tls' is set to 'true'") + rootCmd.PersistentFlags().String("tls_ca_cert", "", "Certificate file to use for secure connections with Trillian server") + rootCmd.PersistentFlags().Bool("trillian_log_server.tls", false, "Use TLS when connecting to Trillian Server") rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage") rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket") diff --git a/pkg/api/api.go b/pkg/api/api.go index aba59b25e..d6463b170 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -22,12 +22,15 @@ import ( "crypto/x509" "encoding/hex" "fmt" + "os" + "path/filepath" "github.com/google/trillian" "github.com/redis/go-redis/v9" "github.com/spf13/viper" "golang.org/x/exp/slices" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" "google.golang.org/grpc/credentials/insecure" "github.com/sigstore/rekor/pkg/indexstorage" @@ -47,7 +50,33 @@ import ( func dial(rpcServer string) (*grpc.ClientConn, error) { // Set up and test connection to rpc server - creds := insecure.NewCredentials() + var creds credentials.TransportCredentials + tlsCACertFile := viper.GetString("tls_ca_cert") + useSystemTrustStore := viper.GetBool("trillian_log_server.tls") + + switch { + case useSystemTrustStore: + creds = credentials.NewTLS(&tls.Config{ + ServerName: rpcServer, + MinVersion: tls.VersionTLS12, + }) + case tlsCACertFile != "": + tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCACertFile)) + if err != nil { + log.Logger.Fatalf("Failed to load tls_ca_cert:", err) + } + certPool := x509.NewCertPool() + if !certPool.AppendCertsFromPEM(tlsCaCert) { + return nil, fmt.Errorf("failed to append CA certificate to pool") + } + creds = credentials.NewTLS(&tls.Config{ + ServerName: rpcServer, + RootCAs: certPool, + MinVersion: tls.VersionTLS12, + }) + default: + creds = insecure.NewCredentials() + } conn, err := grpc.NewClient(rpcServer, grpc.WithTransportCredentials(creds)) if err != nil { log.Logger.Fatalf("Failed to connect to RPC server:", err) From c1f5a695f9e78b127ffaf3a86a1a97973d5cd279 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi Date: Tue, 23 Jul 2024 22:33:34 +0200 Subject: [PATCH 2/2] update tls_ca_cert key name Signed-off-by: Firas Ghanmi --- cmd/rekor-server/app/root.go | 2 +- pkg/api/api.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/rekor-server/app/root.go b/cmd/rekor-server/app/root.go index 571f8c122..0506db5a7 100644 --- a/cmd/rekor-server/app/root.go +++ b/cmd/rekor-server/app/root.go @@ -117,7 +117,7 @@ Memory and file-based signers should only be used for testing.`) rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password") rootCmd.PersistentFlags().Bool("redis_server.enable-tls", false, "Whether to enable TLS verification when connecting to Redis endpoint") rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification when connecting to Redis endpoint, only applicable when 'redis_server.enable-tls' is set to 'true'") - rootCmd.PersistentFlags().String("tls_ca_cert", "", "Certificate file to use for secure connections with Trillian server") + rootCmd.PersistentFlags().String("trillian_log_server.tls_ca_cert", "", "Certificate file to use for secure connections with Trillian server") rootCmd.PersistentFlags().Bool("trillian_log_server.tls", false, "Use TLS when connecting to Trillian Server") rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage") diff --git a/pkg/api/api.go b/pkg/api/api.go index d6463b170..3fe2104ce 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -51,7 +51,7 @@ import ( func dial(rpcServer string) (*grpc.ClientConn, error) { // Set up and test connection to rpc server var creds credentials.TransportCredentials - tlsCACertFile := viper.GetString("tls_ca_cert") + tlsCACertFile := viper.GetString("trillian_log_server.tls_ca_cert") useSystemTrustStore := viper.GetBool("trillian_log_server.tls") switch {