feat(signserver): Add support to SignServer key references for signing (#959)

Signed-off-by: Jose I. Paris <[email protected]>

Author: jiparis

app/cli/cmd/attestation_push.go

@@ -26,8 +26,13 @@ import (
 )
 
 func newAttestationPushCmd() *cobra.Command {
-	var pkPath, bundle string
-	var annotationsFlag []string
+	var (
+		pkPath, bundle                         string
+		annotationsFlag                        []string
+		signServerCAPath                       string
+		signServerAuthUser, signServerAuthPass string
+	)
+
 	cmd := &cobra.Command{
 		Use:   "push",
 		Short: "generate and push the attestation to the control plane",
@@ -57,7 +62,9 @@ func newAttestationPushCmd() *cobra.Command {
 				return fmt.Errorf("getting executable information: %w", err)
 			}
 			a, err := action.NewAttestationPush(&action.AttestationPushOpts{
-				ActionsOpts: actionOpts, KeyPath: pkPath, BundlePath: bundle, CLIVersion: info.Version, CLIDigest: info.Digest,
+				ActionsOpts: actionOpts, KeyPath: pkPath, BundlePath: bundle,
+				CLIVersion: info.Version, CLIDigest: info.Digest,
+				SignServerCAPath: signServerCAPath,
 			})
 			if err != nil {
 				return fmt.Errorf("failed to load action: %w", err)
@@ -102,5 +109,9 @@ func newAttestationPushCmd() *cobra.Command {
 	cmd.Flags().StringVar(&bundle, "bundle", "", "output a Sigstore bundle to the provided path  ")
 	flagAttestationID(cmd)
 
+	cmd.Flags().StringVar(&signServerCAPath, "signserver-ca-path", "", "custom CA to be used for SignServer communications")
+	cmd.Flags().StringVar(&signServerAuthUser, "signserver-auth-user", "", "")
+	cmd.Flags().StringVar(&signServerAuthPass, "signserver-auth-pass", "", "")
+
 	return cmd
 }

app/cli/internal/action/attestation_push.go

@@ -33,6 +33,8 @@ import (
 type AttestationPushOpts struct {
 	*ActionsOpts
 	KeyPath, CLIVersion, CLIDigest, BundlePath string
+
+	SignServerCAPath string
 }
 
 type AttestationResult struct {
@@ -45,6 +47,7 @@ type AttestationPush struct {
 	*ActionsOpts
 	c                                          *crafter.Crafter
 	keyPath, cliVersion, cliDigest, bundlePath string
+	signServerCAPath                           string
 }
 
 func NewAttestationPush(cfg *AttestationPushOpts) (*AttestationPush, error) {
@@ -54,12 +57,13 @@ func NewAttestationPush(cfg *AttestationPushOpts) (*AttestationPush, error) {
 	}
 
 	return &AttestationPush{
-		ActionsOpts: cfg.ActionsOpts,
-		c:           c,
-		keyPath:     cfg.KeyPath,
-		cliVersion:  cfg.CLIVersion,
-		cliDigest:   cfg.CLIDigest,
-		bundlePath:  cfg.BundlePath,
+		ActionsOpts:      cfg.ActionsOpts,
+		c:                c,
+		keyPath:          cfg.KeyPath,
+		cliVersion:       cfg.CLIVersion,
+		cliDigest:        cfg.CLIDigest,
+		bundlePath:       cfg.BundlePath,
+		signServerCAPath: cfg.SignServerCAPath,
 	}, nil
 }
 
@@ -132,7 +136,13 @@ func (action *AttestationPush) Run(ctx context.Context, attestationID string, ru
 	// Indicate that we are done with the attestation
 	action.c.CraftingState.Attestation.FinishedAt = timestamppb.New(time.Now())
 
-	sig := signer.GetSigner(action.keyPath, action.Logger, pb.NewSigningServiceClient(action.CPConnection))
+	sig, err := signer.GetSigner(action.keyPath, action.Logger, &signer.Opts{
+		SignServerCAPath: action.signServerCAPath,
+		Vaultclient:      pb.NewSigningServiceClient(action.CPConnection),
+	})
+	if err != nil {
+		return nil, fmt.Errorf("creating signer: %w", err)
+	}
 	renderer, err := renderer.NewAttestationRenderer(action.c.CraftingState, action.cliVersion, action.cliDigest, sig,
 		renderer.WithLogger(action.Logger), renderer.WithBundleOutputPath(action.bundlePath))
 	if err != nil {

internal/attestation/signer/signer.go

@@ -16,21 +16,38 @@
 package signer
 
 import (
+	"fmt"
+	"strings"
+
 	pb "github.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1"
 	"github.com/chainloop-dev/chainloop/internal/attestation/signer/chainloop"
 	"github.com/chainloop-dev/chainloop/internal/attestation/signer/cosign"
+	"github.com/chainloop-dev/chainloop/internal/attestation/signer/signserver"
 	"github.com/rs/zerolog"
 	sigstoresigner "github.com/sigstore/sigstore/pkg/signature"
 )
 
+type Opts struct {
+	SignServerCAPath string
+	Vaultclient      pb.SigningServiceClient
+}
+
 // GetSigner creates a new Signer based on input parameters
-func GetSigner(keyPath string, logger zerolog.Logger, client pb.SigningServiceClient) sigstoresigner.Signer {
+func GetSigner(keyPath string, logger zerolog.Logger, opts *Opts) (sigstoresigner.Signer, error) {
 	var signer sigstoresigner.Signer
 	if keyPath != "" {
-		signer = cosign.NewSigner(keyPath, logger)
+		if strings.HasPrefix(keyPath, signserver.ReferenceScheme) {
+			host, worker, err := signserver.ParseKeyReference(keyPath)
+			if err != nil {
+				return nil, fmt.Errorf("failed to parse key: %w", err)
+			}
+			signer = signserver.NewSigner(host, worker, opts.SignServerCAPath)
+		} else {
+			signer = cosign.NewSigner(keyPath, logger)
+		}
 	} else {
-		signer = chainloop.NewSigner(client, logger)
+		signer = chainloop.NewSigner(opts.Vaultclient, logger)
 	}
 
-	return signer
+	return signer, nil
 }

internal/attestation/signer/signserver/signserver.go

@@ -0,0 +1,134 @@
+//
+// Copyright 2024 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package signserver
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"io"
+	"mime/multipart"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+
+	sigstoresigner "github.com/sigstore/sigstore/pkg/signature"
+)
+
+// ReferenceScheme is the scheme to be used when using signserver keys. Ex: signserver://host/worker
+const ReferenceScheme = "signserver"
+
+// Signer implements a signer for SignServer
+type Signer struct {
+	host, worker, caPath string
+}
+
+var _ sigstoresigner.Signer = (*Signer)(nil)
+
+func NewSigner(host, worker, caPath string) *Signer {
+	return &Signer{
+		host:   host,
+		worker: worker,
+		caPath: caPath,
+	}
+}
+
+func (s Signer) PublicKey(_ ...sigstoresigner.PublicKeyOption) (crypto.PublicKey, error) {
+	return nil, errors.New("public key not yet supported for SignServer")
+}
+
+// SignMessage Signs a message by calling to SignServer
+func (s Signer) SignMessage(message io.Reader, _ ...sigstoresigner.SignOption) ([]byte, error) {
+	url, err := url.Parse(fmt.Sprintf("https://%s/signserver/process", s.host))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse url: %w", err)
+	}
+
+	body := &bytes.Buffer{}
+	mpwriter := multipart.NewWriter(body)
+
+	// Send worker name
+	err = mpwriter.WriteField("workerName", s.worker)
+	if err != nil {
+		return nil, fmt.Errorf("failed to write field: %w", err)
+	}
+
+	// Send payload
+	part, err := mpwriter.CreateFormFile("file", "attestation.json")
+	if err != nil {
+		return nil, fmt.Errorf("failed to create form field: %w", err)
+	}
+	_, err = io.Copy(part, message)
+	if err != nil {
+		return nil, fmt.Errorf("failed to copy message: %w", err)
+	}
+	err = mpwriter.Close()
+	if err != nil {
+		return nil, fmt.Errorf("failed to close multipart writer: %w", err)
+	}
+
+	req, err := http.NewRequest("POST", url.String(), body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+	req.Header.Add("Content-Type", mpwriter.FormDataContentType())
+	client := &http.Client{}
+
+	var caPool *x509.CertPool
+	if s.caPath != "" {
+		caPool = x509.NewCertPool()
+		caContents, err := os.ReadFile(s.caPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read ca cert: %w", err)
+		}
+		caPool.AppendCertsFromPEM(caContents)
+		client.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{RootCAs: caPool, MinVersion: tls.VersionTLS12}}
+	}
+
+	res, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to send request: %w", err)
+	}
+
+	if res.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("failed to send request: status %d", res.StatusCode)
+	}
+
+	resBytes, err := io.ReadAll(res.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	return resBytes, nil
+}
+
+// ParseKeyReference interprets a key reference for SignServer
+func ParseKeyReference(keyPath string) (string, string, error) {
+	parts := strings.SplitAfter(keyPath, "://")
+	if len(parts) != 2 {
+		return "", "", fmt.Errorf("invalid key path: %s", keyPath)
+	}
+	parts = strings.Split(parts[1], "/")
+	if len(parts) != 2 {
+		return "", "", fmt.Errorf("invalid key path: %s", keyPath)
+	}
+	return parts[0], parts[1], nil
+}