feat(keyless): make keyless signing available in the CLI (#862)

Signed-off-by: Jose I. Paris <[email protected]>

Author: jiparis

app/cli/cmd/attestation_push.go

@@ -49,13 +49,6 @@ func newAttestationPushCmd() *cobra.Command {
 		Annotations: map[string]string{
 			useWorkflowRobotAccount: "true",
 		},
-		PreRunE: func(cmd *cobra.Command, args []string) error {
-			if pkPath == "" {
-				return errors.New("a path to the private key is required")
-			}
-
-			return nil
-		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			info, err := executableInfo()
 			if err != nil {
@@ -100,7 +93,7 @@ func newAttestationPushCmd() *cobra.Command {
 		},
 	}
 
-	cmd.Flags().StringVarP(&pkPath, "key", "k", "", "reference (path or env variable name) to the cosign private key that will be used to sign the attestation")
+	cmd.Flags().StringVarP(&pkPath, "key", "k", "", "reference (path or env variable name) to the cosign or KMS key that will be used to sign the attestation")
 	cmd.Flags().StringSliceVar(&annotationsFlag, "annotation", nil, "additional annotation in the format of key=value")
 	flagAttestationID(cmd)
 

app/cli/internal/action/attestation_push.go

@@ -25,6 +25,7 @@ import (
 	pb "github.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1"
 	"github.com/chainloop-dev/chainloop/internal/attestation/crafter"
 	"github.com/chainloop-dev/chainloop/internal/attestation/renderer"
+	"github.com/chainloop-dev/chainloop/internal/attestation/signer"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"google.golang.org/grpc"
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -131,7 +132,9 @@ func (action *AttestationPush) Run(ctx context.Context, attestationID string, ru
 	// Indicate that we are done with the attestation
 	action.c.CraftingState.Attestation.FinishedAt = timestamppb.New(time.Now())
 
-	renderer, err := renderer.NewAttestationRenderer(action.c.CraftingState, action.keyPath, action.cliVersion, action.cliDigest, renderer.WithLogger(action.Logger))
+	wrappedSigner := signer.GetSigner(action.keyPath, action.Logger, pb.NewSigningServiceClient(action.CPConnection))
+	renderer, err := renderer.NewAttestationRenderer(action.c.CraftingState, action.cliVersion, action.cliDigest, wrappedSigner,
+		renderer.WithLogger(action.Logger))
 	if err != nil {
 		return nil, err
 	}

app/controlplane/internal/biz/signing.go

@@ -39,7 +39,7 @@ func NewChainloopSigningUseCase(ca ca.CertificateAuthority) *SigningUseCase {
 // CreateSigningCert signs a certificate request with a configured CA, and returns the full certificate chain
 func (s *SigningUseCase) CreateSigningCert(ctx context.Context, orgID string, csrRaw []byte) ([]string, error) {
 	if s.CA == nil {
-		return nil, errors.New("CA not initialized")
+		return nil, NewErrValidation(errors.New("CA not initialized"))
 	}
 
 	var publicKey crypto.PublicKey

internal/attestation/renderer/renderer.go

@@ -17,30 +17,25 @@ package renderer
 
 import (
 	"bytes"
-	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
-	"os"
-	"syscall"
 
 	v1 "github.com/chainloop-dev/chainloop/internal/attestation/crafter/api/attestation/v1"
 	"github.com/chainloop-dev/chainloop/internal/attestation/renderer/chainloop"
 	intoto "github.com/in-toto/attestation/go/v1"
 	"github.com/rs/zerolog"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
-	"github.com/sigstore/cosign/v2/pkg/signature"
+	sigstoresigner "github.com/sigstore/sigstore/pkg/signature"
 	sigdsee "github.com/sigstore/sigstore/pkg/signature/dsse"
-	"golang.org/x/term"
 	"google.golang.org/protobuf/encoding/protojson"
 )
 
 type AttestationRenderer struct {
-	logger         zerolog.Logger
-	signingKeyPath string
-	att            *v1.Attestation
-	renderer       r
+	logger   zerolog.Logger
+	att      *v1.Attestation
+	renderer r
+	signer   sigstoresigner.Signer
 }
 
 type r interface {
@@ -55,16 +50,16 @@ func WithLogger(logger zerolog.Logger) Opt {
 	}
 }
 
-func NewAttestationRenderer(state *v1.CraftingState, keyPath, builderVersion, builderDigest string, opts ...Opt) (*AttestationRenderer, error) {
+func NewAttestationRenderer(state *v1.CraftingState, builderVersion, builderDigest string, signer sigstoresigner.Signer, opts ...Opt) (*AttestationRenderer, error) {
 	if state.GetAttestation() == nil {
 		return nil, errors.New("attestation not initialized")
 	}
 
 	r := &AttestationRenderer{
-		logger:         zerolog.Nop(),
-		signingKeyPath: keyPath,
-		att:            state.GetAttestation(),
-		renderer:       chainloop.NewChainloopRendererV02(state.GetAttestation(), builderVersion, builderDigest),
+		logger:   zerolog.Nop(),
+		att:      state.GetAttestation(),
+		signer:   signer,
+		renderer: chainloop.NewChainloopRendererV02(state.GetAttestation(), builderVersion, builderDigest),
 	}
 
 	for _, opt := range opts {
@@ -93,15 +88,7 @@ func (ab *AttestationRenderer) Render() (*dsse.Envelope, error) {
 		return nil, err
 	}
 
-	ab.logger.Debug().Str("path", ab.signingKeyPath).Msg("loading key")
-
-	signer, err := signature.SignerFromKeyRef(context.Background(), ab.signingKeyPath, getPass)
-	if err != nil {
-		return nil, err
-	}
-
-	wrappedSigner := sigdsee.WrapSigner(signer, "application/vnd.in-toto+json")
-
+	wrappedSigner := sigdsee.WrapSigner(ab.signer, "application/vnd.in-toto+json")
 	signedAtt, err := wrappedSigner.SignMessage(bytes.NewReader(rawStatement))
 	if err != nil {
 		return nil, fmt.Errorf("signing message: %w", err)
@@ -114,61 +101,3 @@ func (ab *AttestationRenderer) Render() (*dsse.Envelope, error) {
 
 	return &dseeEnvelope, nil
 }
-
-func getPass(confirm bool) ([]byte, error) {
-	read := readPasswordFn(confirm)
-	return read()
-}
-
-// based on cosign code
-// https://pkg.go.dev/github.com/sigstore/cosign/cmd/cosign/cli/generate
-func readPasswordFn(confirm bool) func() ([]byte, error) {
-	pw, ok := os.LookupEnv("CHAINLOOP_SIGNING_PASSWORD")
-	switch {
-	case ok:
-		return func() ([]byte, error) {
-			return []byte(pw), nil
-		}
-	case isTerminal():
-		return func() ([]byte, error) {
-			return getPassFromTerm(confirm)
-		}
-	// Handle piped in passwords.
-	default:
-		return func() ([]byte, error) {
-			return io.ReadAll(os.Stdin)
-		}
-	}
-}
-
-func isTerminal() bool {
-	stat, _ := os.Stdin.Stat()
-	return (stat.Mode() & os.ModeCharDevice) != 0
-}
-
-func getPassFromTerm(confirm bool) ([]byte, error) {
-	fmt.Fprint(os.Stderr, "Enter password for private key: ")
-	// Unnecessary convert of syscall.Stdin on *nix, but Windows is a uintptr
-	// nolint:unconvert
-	pw1, err := term.ReadPassword(int(syscall.Stdin))
-	if err != nil {
-		return nil, err
-	}
-	fmt.Fprintln(os.Stderr)
-	if !confirm {
-		return pw1, nil
-	}
-	fmt.Fprint(os.Stderr, "Enter password for private key again: ")
-	// Unnecessary convert of syscall.Stdin on *nix, but Windows is a uintptr
-	// nolint:unconvert
-	confirmpw, err := term.ReadPassword(int(syscall.Stdin))
-	fmt.Fprintln(os.Stderr)
-	if err != nil {
-		return nil, err
-	}
-
-	if string(pw1) != string(confirmpw) {
-		return nil, errors.New("passwords do not match")
-	}
-	return pw1, nil
-}

internal/attestation/signer/chainloop/chainloop.go

@@ -0,0 +1,148 @@
+//
+// Copyright 2024 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package chainloop
+
+import (
+	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"sync"
+
+	pb "github.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1"
+	"github.com/rs/zerolog"
+	sigstoresigner "github.com/sigstore/sigstore/pkg/signature"
+)
+
+// Signer is a keyless signer for Chainloop
+type Signer struct {
+	sigstoresigner.Signer
+
+	signingServiceClient pb.SigningServiceClient
+	logger               zerolog.Logger
+	mu                   sync.Mutex
+}
+
+var _ sigstoresigner.Signer = (*Signer)(nil)
+
+func NewSigner(sc pb.SigningServiceClient, logger zerolog.Logger) *Signer {
+	return &Signer{
+		signingServiceClient: sc,
+		logger:               logger,
+	}
+}
+
+func (cs *Signer) SignMessage(message io.Reader, opts ...sigstoresigner.SignOption) ([]byte, error) {
+	err := cs.ensureInitiated(context.Background())
+	if err != nil {
+		return nil, err
+	}
+
+	return cs.Signer.SignMessage(message, opts...)
+}
+
+// ensureInitiated makes sure the signer is fully initialized and can be used right away
+// (i.e. it has performed the CSR challenge with chainloop)
+func (cs *Signer) ensureInitiated(ctx context.Context) error {
+	cs.mu.Lock()
+	defer cs.mu.Unlock()
+
+	if cs.Signer != nil {
+		return nil
+	}
+
+	var err error
+
+	// key is not provided, let's create one
+	cs.logger.Debug().Msg("generating a keyless signer")
+	cs.Signer, err = cs.keyLessSigner(ctx)
+	if err != nil {
+		return fmt.Errorf("getting a keyless signer: %w", err)
+	}
+
+	return nil
+}
+
+type certificateRequest struct {
+	PrivateKey *ecdsa.PrivateKey
+	// CertificateRequestPEM contains the signed public key and the CSR metadata
+	CertificateRequestPEM []byte
+}
+
+func (cs *Signer) keyLessSigner(ctx context.Context) (sigstoresigner.Signer, error) {
+	request, err := cs.createCertificateRequest()
+	if err != nil {
+		return nil, fmt.Errorf("creating certificate request: %w", err)
+	}
+	_, err = cs.certFromChainloop(ctx, request)
+	if err != nil {
+		return nil, fmt.Errorf("getting a certificate from chainloop: %w", err)
+	}
+	sv, err := sigstoresigner.LoadECDSASignerVerifier(request.PrivateKey, crypto.SHA256)
+	if err != nil {
+		return nil, fmt.Errorf("loading ECDSA signer from private key: %w", err)
+	}
+
+	return sv, nil
+}
+
+// createCertificateRequest generates a new CSR to be sent to Chainloop platform
+func (cs *Signer) createCertificateRequest() (*certificateRequest, error) {
+	cs.logger.Debug().Msg("generating new certificate request")
+
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, fmt.Errorf("generating cert: %w", err)
+	}
+	csrTmpl := &x509.CertificateRequest{Subject: pkix.Name{CommonName: "ephemeral certificate"}}
+	derCSR, err := x509.CreateCertificateRequest(rand.Reader, csrTmpl, priv)
+	if err != nil {
+		return nil, fmt.Errorf("generating certificate request: %w", err)
+	}
+
+	// Encode CSR to PEM
+	pemCSR := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: derCSR,
+	})
+
+	return &certificateRequest{
+		CertificateRequestPEM: pemCSR,
+		PrivateKey:            priv,
+	}, nil
+}
+
+// certFromChainloop gets a full certificate chain from a CSR
+func (cs *Signer) certFromChainloop(ctx context.Context, req *certificateRequest) ([]string, error) {
+	cr := pb.GenerateSigningCertRequest{
+		CertificateSigningRequest: req.CertificateRequestPEM,
+	}
+
+	// call chainloop
+	resp, err := cs.signingServiceClient.GenerateSigningCert(ctx, &cr)
+	if err != nil {
+		return nil, fmt.Errorf("generating signing cert: %w", err)
+	}
+
+	// get full chain
+	return resp.GetChain().GetCertificates(), nil
+}