Skip to content

Commit

Permalink
Add TLS support for Trillian server
Browse files Browse the repository at this point in the history
Signed-off-by: Firas Ghanmi <[email protected]>
  • Loading branch information
fghanmi committed Jul 2, 2024
1 parent 5fd1711 commit b807792
Show file tree
Hide file tree
Showing 6 changed files with 104 additions and 1 deletion.
2 changes: 2 additions & 0 deletions cmd/rekor-server/app/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,8 @@ Memory and file-based signers should only be used for testing.`)
rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password")
rootCmd.PersistentFlags().Bool("redis_server.enable-tls", false, "Whether to enable TLS verification when connecting to Redis endpoint")
rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification when connecting to Redis endpoint, only applicable when 'redis_server.enable-tls' is set to 'true'")
rootCmd.PersistentFlags().String("tls-ca-cert", "", "Certificate file to use for secure connections with Trillian server")
rootCmd.PersistentFlags().Bool("trillian_log_server.tls", false, "Use system trust store for TLS")

rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage")
rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket")
Expand Down
7 changes: 7 additions & 0 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,12 @@ services:
"--http_endpoint=0.0.0.0:8091",
"--force_master",
"--alsologtostderr",
"--tls_cert_file=/etc/tls/tls.crt",
"--tls_key_file=/etc/tls/tls.key"
]
volumes:
- /tests/sharding-testdata/tls.crt:/etc/tls/tls.crt
- /tests/sharding-testdata/tls.key:/etc/tls/tls.key
restart: always # retry while mysql is starting up
ports:
- "8092:8091"
Expand All @@ -102,11 +107,13 @@ services:
"--enable_stable_checkpoint",
"--search_index.storage_provider=mysql",
"--search_index.mysql.dsn=test:zaphod@tcp(mysql:3306)/test",
"--tls_ca_cert=/etc/tls/ca.crt"
# Uncomment this for production logging
# "--log_type=prod",
]
volumes:
- "/var/run/attestations:/var/run/attestations:z"
- /tests/sharding-testdata/ca.crt:/etc/tls/ca.crt
restart: always # keep the server running
ports:
- "3000:3000"
Expand Down
30 changes: 29 additions & 1 deletion pkg/api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,15 @@ import (
"crypto/x509"
"encoding/hex"
"fmt"
"os"
"path/filepath"

"github.com/google/trillian"
"github.com/redis/go-redis/v9"
"github.com/spf13/viper"
"golang.org/x/exp/slices"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"

"github.com/sigstore/rekor/pkg/indexstorage"
Expand All @@ -47,7 +50,32 @@ import (

func dial(rpcServer string) (*grpc.ClientConn, error) {
// Set up and test connection to rpc server
creds := insecure.NewCredentials()
var creds credentials.TransportCredentials
tlsCACertFile := viper.GetString("tls_ca_cert")
useSystemTrustStore := viper.GetBool("trillian_log_server.tls")

if useSystemTrustStore {

Check failure on line 57 in pkg/api/api.go

View workflow job for this annotation

GitHub Actions / lint

ifElseChain: rewrite if-else to switch statement (gocritic)
creds = credentials.NewTLS(&tls.Config{
ServerName: rpcServer,
MinVersion: tls.VersionTLS12,
})
} else if tlsCACertFile == "" {
creds = insecure.NewCredentials()
} else {
tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCACertFile))
if err != nil {
log.Logger.Fatalf("Failed to load tls_ca_cert:", err)
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(tlsCaCert) {
return nil, fmt.Errorf("failed to append CA certificate to pool")
}
creds = credentials.NewTLS(&tls.Config{
ServerName: rpcServer,
RootCAs: certPool,
MinVersion: tls.VersionTLS12,
})
}
conn, err := grpc.NewClient(rpcServer, grpc.WithTransportCredentials(creds))
if err != nil {
log.Logger.Fatalf("Failed to connect to RPC server:", err)
Expand Down
19 changes: 19 additions & 0 deletions tests/sharding-testdata/ca.crt
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDATCCAemgAwIBAgIUXVkFgPS1jbBHhXk2M3NKTfOkTeIwDQYJKoZIhvcNAQEL
BQAwEDEOMAwGA1UEAwwFTXkgQ0EwHhcNMjQwNzAyMTU0MDQwWhcNMjUwNzAyMTU0
MDQwWjAQMQ4wDAYDVQQDDAVNeSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAOM3859H+Kod32SgW2zHN3KN3+r3fXVnkpA+j0CR0Vq1YEcexsQIaXJx
hXUXK4EXsa6lnzqqquCo5OmpTs1ZUWyFdlrFSwes2RFLOJ/QIVGSyVirtYOpgFdo
F/cmfI66UNeH1UpAsf2tTjcDmE5A8aAaoyQllIUZ8QqhDjNy3i6zPAf+cW9+wq8w
nk8M9blcXg0v6gjIA0e6XnkHyNmUep3bUbpQ9JbtD901/hbmM/uYu0VoyaxhTwha
2zRqmkK1EOqTvsoI2g3WSnTLL+H9bWdJg1HSYA/MQCkNOpOWO3SRIxNKDysYRMoW
eJigHE5/Fcs0q7zkIZXfJkFXINQVglMCAwEAAaNTMFEwHQYDVR0OBBYEFJdAxaB8
JkZN9z/fT5Bgn5wnK830MB8GA1UdIwQYMBaAFJdAxaB8JkZN9z/fT5Bgn5wnK830
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADbQ7wkSoLyhcbc7
du7bLTFk7xTg0WV6IiV0ZmBxGVvRW6kjUA1diH+Sr1Gy4Z+HmVhT28zFVVKNataE
g53n9wJigH7FwMVqNrZHD6V7JXc2il+lO9ICvGnH4xYUQBjNHu99g10WAeA706M7
IlbGIsFc+tWcplpFW2H/UIIio3fLq1HCRe7WbbQHsbZ5OkoeUhu9YCvslqSa0w/f
t7d8oDZltquH7zkiZoqY6hNZTJYy2+5HSjx3n/QumKuzuhhEjGuG8LX8dNrL4k6y
nqVf3PBWlMeK+jwwa9AXcqcL+5a/npeM5Z7UOA6W/I+zVop6OZK7KohKeDIErC/t
Tn8+2Co=
-----END CERTIFICATE-----
19 changes: 19 additions & 0 deletions tests/sharding-testdata/tls.crt
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIC/jCCAeagAwIBAgIUXBONalvsgMSSss6Ac9F+Qiy0RoMwDQYJKoZIhvcNAQEL
BQAwEDEOMAwGA1UEAwwFTXkgQ0EwHhcNMjQwNzAyMTU0MDQwWhcNMjUwNzAyMTU0
MDQwWjAeMRwwGgYDVQQDDBN0cmlsbGlhbi1sb2ctc2VydmVyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuSy6h6wZ4C8HEmeZMnqwYviJiTcjxXArZaPx
ytxrvUOKviyA7oRhepOtSwpuUGh38+yrW6g9fv0c88DLktOwsNGSNZx9Gn8P0cLO
PO1qzXI0zxNwzaTvywHEpUHIynrEILwy5orAcuP004P3Wsx4k2vhe5YdWZBdcw2V
MFbJxOcHVXcrgENsFJkn6M6IuJ3yx+YClaRmYdp8C2jn3uHl4XQt+33kPPiWVj6l
lhW2vkpTzvBLQKwAav6ZCckJGCzUI7deYcZGEkSS0KYfzhH7oODZaLFaKywUHM61
uqZ5N6e/HiNNpQdf5tI1Zqf6Aoa5YQSBvY9oynbCYoMdgUwOnQIDAQABo0IwQDAd
BgNVHQ4EFgQUKR3YSbyQ7sBy5ekiKbOsOKR07CUwHwYDVR0jBBgwFoAUl0DFoHwm
Rk33P99PkGCfnCcrzfQwDQYJKoZIhvcNAQELBQADggEBAEx7hg6YEh9r76afDGg/
Wm/7cru3jyHKrJOogIdvYqmyCXVTez4ZanHKAfjqv8V/WCeW+ZXqjQsKwMy4napx
GGc1JxvLrF5dO0LS0jRT32HD/qAV14HNV7anN0YotbxSenAJlHG7H6uxfHvo1k/R
rte2JKUF0ut3P0cLIdnWGW6fIpB2lnmXFnb6FBtxRZFxFzsV+TBLX+1L0xOrFuvq
lI6Fu4xav5UwJs1ZMf3LhpGVLk5jmvUhnuWXwMYkcWqcCV9R0NKk49xyZ3uU2KYN
crCHIepUbe/efDWBZMexNDqOKMtedoE5gWP4VjYV+AK4e160zig9sJw6q6KCPdie
y3E=
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions tests/sharding-testdata/tls.key
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5LLqHrBngLwcS
Z5kyerBi+ImJNyPFcCtlo/HK3Gu9Q4q+LIDuhGF6k61LCm5QaHfz7KtbqD1+/Rzz
wMuS07Cw0ZI1nH0afw/Rws487WrNcjTPE3DNpO/LAcSlQcjKesQgvDLmisBy4/TT
g/dazHiTa+F7lh1ZkF1zDZUwVsnE5wdVdyuAQ2wUmSfozoi4nfLH5gKVpGZh2nwL
aOfe4eXhdC37feQ8+JZWPqWWFba+SlPO8EtArABq/pkJyQkYLNQjt15hxkYSRJLQ
ph/OEfug4NlosVorLBQczrW6pnk3p78eI02lB1/m0jVmp/oChrlhBIG9j2jKdsJi
gx2BTA6dAgMBAAECggEAJGMx91GeFxPeraLuc4Ew8o3Yxv4vGQ/o8zTjYWPthvhE
BglMP7KDTjlBQx72XPYeZjAiXyVBClh2LT78MerHzIMuGjtZSRDhXKyNZuMXiu4P
iwaMsthfp5J+ICQ8bu9vZWheDzgCR8FcPYkv3OeTpRJ8sVKnC0/HUUHAyIoxZW/S
9PAIAbfHq2Uiq9LdBpUkwlDiOBh4lJBv7dlCR0xves4YpOc5KiVyKf4JYB78lpRs
9Np3ag3hoIgYQniIPF9iQXYp2nPGtzzlZpz/NSLzK4I70fEnWG0kj8sT0ddeLHgK
YVvrnynO6SieqLkaY34pC/LlJLOGCbTn5moKXQouwQKBgQD/TPGDh+FZsHV/WwQC
9/p8578ST+kGEBDMx9BP4IDI09nLq/x5/iE8r8gYS78nGtaIO5WlhZxVLwHBjuj3
23UE9Y0IdSHKuEI/ST8c0r23rfTJZ5L4OG7BtMlJuOqJwzL68qc/Sz5PUveGdtgz
1778yv1vlMuMGUdQhX3AL/aZQQKBgQC5rpofRBbsajI31CzVoBL/LAzeA7EdjpIm
Ng9gAn/4I5UJqFSF6ffFUsA22H8wQ+QoV8jocUV57/udB+6ehn1YGfSeI/3WVIPz
edZdT9bhfJZjwkNx/la/yzyjGLwZXKrRoSyShWPm1qAcLVXTzUVZFQhJYnvgmoZl
Ze4gQ6viXQKBgGkI6/hUaCdxTPYHqR/bjEflRJwxGkrvQyotLwwd7n4xgtKjwK0k
G+KO44DzcQKSrR7BfPDrhoUZYNyUgk6vEHbo24xWPH/dzQuig//EyF8Qh7xxC2tq
NE8npQTaukvRbmEGgj6tI0aZeNLuhEbYBXCVxy0oB5JtOATt1u3CDe/BAoGAa7hD
aUgTFGw3XfQVXolS+/4OKO5zXfZMCybpnIVWwBnEaKni/x1QxITRRgArKVD5l/31
bAPqjmcOzXbAk+7p4KaOJwAyTpkRQ7q3BcM/oeipRo54mjU3FmVNdEDxPrVn091x
Aj+oSU7R7AbQ9+LqDFgLSqd7vj1nIoQTtVwM53ECgYEA9GXX/vIxSKIb8pDhvaqH
GkCPeRo+gLNAzWdtz97wRqH+d6zIhcO36xExmKpwbzT87lJQYSIyJhP/lC/o/Gaj
R5Oj1rnmQd92j0QKVF4kN6qf2wMqj5RrTRtEWBZGV34iKTa2zF09++79JOoKXvV4
kZPEpMMHPqDmvcPzWBaBI/U=
-----END PRIVATE KEY-----

0 comments on commit b807792

Please sign in to comment.