Skip to content

Commit

Permalink
Add TLS support for Trillian server (sigstore#2164)
Browse files Browse the repository at this point in the history
* Add TLS support for Trillian server

Signed-off-by: Firas Ghanmi <[email protected]>

* update tls_ca_cert key name

Signed-off-by: Firas Ghanmi <[email protected]>

---------

Signed-off-by: Firas Ghanmi <[email protected]>
  • Loading branch information
fghanmi committed Aug 13, 2024
1 parent bbaaf4d commit 4d4f5c7
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 2 deletions.
2 changes: 2 additions & 0 deletions cmd/rekor-server/app/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,8 @@ Memory and file-based signers should only be used for testing.`)
rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password")
rootCmd.PersistentFlags().Bool("redis_server.enable-tls", false, "Whether to enable TLS verification when connecting to Redis endpoint")
rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification when connecting to Redis endpoint, only applicable when 'redis_server.enable-tls' is set to 'true'")
rootCmd.PersistentFlags().String("trillian_log_server.tls_ca_cert", "", "Certificate file to use for secure connections with Trillian server")
rootCmd.PersistentFlags().Bool("trillian_log_server.tls", false, "Use TLS when connecting to Trillian Server")

rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage")
rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket")
Expand Down
33 changes: 31 additions & 2 deletions pkg/api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,16 @@ import (
"crypto/x509"
"encoding/hex"
"fmt"
"os"
"path/filepath"
"time"

"github.com/google/trillian"
"github.com/redis/go-redis/v9"
"github.com/spf13/viper"
"golang.org/x/exp/slices"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"

"github.com/sigstore/rekor/pkg/indexstorage"
Expand All @@ -51,8 +54,34 @@ func dial(ctx context.Context, rpcServer string) (*grpc.ClientConn, error) {
defer cancel()

// Set up and test connection to rpc server
creds := insecure.NewCredentials()
conn, err := grpc.DialContext(ctx, rpcServer, grpc.WithTransportCredentials(creds))
var creds credentials.TransportCredentials
tlsCACertFile := viper.GetString("trillian_log_server.tls_ca_cert")
useSystemTrustStore := viper.GetBool("trillian_log_server.tls")

switch {
case useSystemTrustStore:
creds = credentials.NewTLS(&tls.Config{
ServerName: rpcServer,
MinVersion: tls.VersionTLS12,
})
case tlsCACertFile != "":
tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCACertFile))
if err != nil {
log.Logger.Fatalf("Failed to load tls_ca_cert:", err)
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(tlsCaCert) {
return nil, fmt.Errorf("failed to append CA certificate to pool")
}
creds = credentials.NewTLS(&tls.Config{
ServerName: rpcServer,
RootCAs: certPool,
MinVersion: tls.VersionTLS12,
})
default:
creds = insecure.NewCredentials()
}
conn, err := grpc.NewClient(rpcServer, grpc.WithTransportCredentials(creds))
if err != nil {
log.Logger.Fatalf("Failed to connect to RPC server:", err)
}
Expand Down

0 comments on commit 4d4f5c7

Please sign in to comment.