Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS support for Trillian server #2164

Merged
merged 2 commits into from
Jul 23, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions cmd/rekor-server/app/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,8 @@ Memory and file-based signers should only be used for testing.`)
rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password")
rootCmd.PersistentFlags().Bool("redis_server.enable-tls", false, "Whether to enable TLS verification when connecting to Redis endpoint")
rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification when connecting to Redis endpoint, only applicable when 'redis_server.enable-tls' is set to 'true'")
rootCmd.PersistentFlags().String("tls_ca_cert", "", "Certificate file to use for secure connections with Trillian server")
fghanmi marked this conversation as resolved.
Show resolved Hide resolved
rootCmd.PersistentFlags().Bool("trillian_log_server.tls", false, "Use TLS when connecting to Trillian Server")

rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage")
rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket")
Expand Down
31 changes: 30 additions & 1 deletion pkg/api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,15 @@ import (
"crypto/x509"
"encoding/hex"
"fmt"
"os"
"path/filepath"

"github.com/google/trillian"
"github.com/redis/go-redis/v9"
"github.com/spf13/viper"
"golang.org/x/exp/slices"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"

"github.com/sigstore/rekor/pkg/indexstorage"
Expand All @@ -47,7 +50,33 @@ import (

func dial(rpcServer string) (*grpc.ClientConn, error) {
// Set up and test connection to rpc server
creds := insecure.NewCredentials()
var creds credentials.TransportCredentials
tlsCACertFile := viper.GetString("tls_ca_cert")
useSystemTrustStore := viper.GetBool("trillian_log_server.tls")

switch {
case useSystemTrustStore:
creds = credentials.NewTLS(&tls.Config{
ServerName: rpcServer,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's unlikely, but possible that rpcServer will not simply be a hostname/IP address or hostname:port combination, as that string can be a value as defined by https://github.com/grpc/grpc/blob/master/doc/naming.md

MinVersion: tls.VersionTLS12,
})
case tlsCACertFile != "":
tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCACertFile))
if err != nil {
log.Logger.Fatalf("Failed to load tls_ca_cert:", err)
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(tlsCaCert) {
return nil, fmt.Errorf("failed to append CA certificate to pool")
}
creds = credentials.NewTLS(&tls.Config{
ServerName: rpcServer,
RootCAs: certPool,
MinVersion: tls.VersionTLS12,
})
default:
creds = insecure.NewCredentials()
}
conn, err := grpc.NewClient(rpcServer, grpc.WithTransportCredentials(creds))
if err != nil {
log.Logger.Fatalf("Failed to connect to RPC server:", err)
Expand Down
Loading