From 4d4f5c79d1061d7085f0a6b09fff508aec73d880 Mon Sep 17 00:00:00 2001 From: Firas Ghanmi <158172821+fghanmi@users.noreply.github.com> Date: Tue, 23 Jul 2024 23:21:57 +0200 Subject: [PATCH] Add TLS support for Trillian server (#2164) * Add TLS support for Trillian server Signed-off-by: Firas Ghanmi * update tls_ca_cert key name Signed-off-by: Firas Ghanmi --------- Signed-off-by: Firas Ghanmi --- cmd/rekor-server/app/root.go | 2 ++ pkg/api/api.go | 33 +++++++++++++++++++++++++++++++-- 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/cmd/rekor-server/app/root.go b/cmd/rekor-server/app/root.go index cebc28d2a..0506db5a7 100644 --- a/cmd/rekor-server/app/root.go +++ b/cmd/rekor-server/app/root.go @@ -117,6 +117,8 @@ Memory and file-based signers should only be used for testing.`) rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password") rootCmd.PersistentFlags().Bool("redis_server.enable-tls", false, "Whether to enable TLS verification when connecting to Redis endpoint") rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification when connecting to Redis endpoint, only applicable when 'redis_server.enable-tls' is set to 'true'") + rootCmd.PersistentFlags().String("trillian_log_server.tls_ca_cert", "", "Certificate file to use for secure connections with Trillian server") + rootCmd.PersistentFlags().Bool("trillian_log_server.tls", false, "Use TLS when connecting to Trillian Server") rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage") rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket") diff --git a/pkg/api/api.go b/pkg/api/api.go index adee58105..62be5d90e 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -22,6 +22,8 @@ import ( "crypto/x509" "encoding/hex" "fmt" + "os" + "path/filepath" "time" "github.com/google/trillian" @@ -29,6 +31,7 @@ import ( "github.com/spf13/viper" "golang.org/x/exp/slices" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" "google.golang.org/grpc/credentials/insecure" "github.com/sigstore/rekor/pkg/indexstorage" @@ -51,8 +54,34 @@ func dial(ctx context.Context, rpcServer string) (*grpc.ClientConn, error) { defer cancel() // Set up and test connection to rpc server - creds := insecure.NewCredentials() - conn, err := grpc.DialContext(ctx, rpcServer, grpc.WithTransportCredentials(creds)) + var creds credentials.TransportCredentials + tlsCACertFile := viper.GetString("trillian_log_server.tls_ca_cert") + useSystemTrustStore := viper.GetBool("trillian_log_server.tls") + + switch { + case useSystemTrustStore: + creds = credentials.NewTLS(&tls.Config{ + ServerName: rpcServer, + MinVersion: tls.VersionTLS12, + }) + case tlsCACertFile != "": + tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCACertFile)) + if err != nil { + log.Logger.Fatalf("Failed to load tls_ca_cert:", err) + } + certPool := x509.NewCertPool() + if !certPool.AppendCertsFromPEM(tlsCaCert) { + return nil, fmt.Errorf("failed to append CA certificate to pool") + } + creds = credentials.NewTLS(&tls.Config{ + ServerName: rpcServer, + RootCAs: certPool, + MinVersion: tls.VersionTLS12, + }) + default: + creds = insecure.NewCredentials() + } + conn, err := grpc.NewClient(rpcServer, grpc.WithTransportCredentials(creds)) if err != nil { log.Logger.Fatalf("Failed to connect to RPC server:", err) }