feat(signserver): support encrypted PEM in TLS connection with SignServer (#1865)

Signed-off-by: Jose I. Paris <[email protected]>

Author: jiparis

app/cli/cmd/attestation_push.go

@@ -31,8 +31,9 @@ func newAttestationPushCmd() *cobra.Command {
 		pkPath, bundle   string
 		annotationsFlag  []string
 		signServerCAPath string
-		// Client certificate for SignServer auth
+		// Client certificate and passphrase for SignServer auth
 		signServerAuthCertPath string
+		signServerAuthCertPass string
 		bypassPolicyCheck      bool
 	)
 
@@ -71,6 +72,7 @@ func newAttestationPushCmd() *cobra.Command {
 				SignServerOpts: &action.SignServerOpts{
 					CAPath:             signServerCAPath,
 					AuthClientCertPath: signServerAuthCertPath,
+					AuthClientCertPass: signServerAuthCertPass,
 				},
 			})
 			if err != nil {
@@ -131,6 +133,7 @@ func newAttestationPushCmd() *cobra.Command {
 
 	cmd.Flags().StringVar(&signServerCAPath, "signserver-ca-path", "", "custom CA to be used for SignServer TLS connection")
 	cmd.Flags().StringVar(&signServerAuthCertPath, "signserver-client-cert", "", "path to client certificate in PEM format for authenticated SignServer TLS connection")
+	cmd.Flags().StringVar(&signServerAuthCertPass, "signserver-client-pass", "", "certificate passphrase for authenticated SignServer TLS connection")
 	cmd.Flags().BoolVar(&bypassPolicyCheck, exceptionFlagName, false, "do not fail this command on policy violations enforcement")
 
 	return cmd

app/cli/internal/action/attestation_push.go

@@ -44,8 +44,8 @@ type AttestationPushOpts struct {
 type SignServerOpts struct {
 	// CA certificate for TLS connection
 	CAPath string
-	// (optional) Client cert for mutual TLS authentication
-	AuthClientCertPath string
+	// (optional) Client cert and passphrase for mutual TLS authentication
+	AuthClientCertPath, AuthClientCertPass string
 }
 
 type AttestationResult struct {
@@ -161,6 +161,7 @@ func (action *AttestationPush) Run(ctx context.Context, attestationID string, ru
 		signerOpts.SignServerOpts = &signer.SignServerOpts{
 			CAPath:             action.signServerOpts.CAPath,
 			AuthClientCertPath: action.signServerOpts.AuthClientCertPath,
+			AuthClientCertPass: action.signServerOpts.AuthClientCertPass,
 		}
 	}
 	sig, err := signer.GetSigner(action.keyPath, action.Logger, signerOpts)

go.mod

@@ -91,6 +91,7 @@ require (
 	github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.8
 	github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.8
 	github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.8
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78
 	gitlab.com/gitlab-org/security-products/analyzers/report/v5 v5.3.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20240827150818-7e3bb234dfed
 	google.golang.org/genproto/googleapis/bytestream v0.0.0-20240903143218-8af14fe29dc1

go.sum

@@ -1419,6 +1419,8 @@ github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQ
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg=
 github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
 github.com/ysmood/fetchup v0.2.3 h1:ulX+SonA0Vma5zUFXtv52Kzip/xe7aj4vqT5AJwQ+ZQ=
 github.com/ysmood/fetchup v0.2.3/go.mod h1:xhibcRKziSvol0H1/pj33dnKrYyI2ebIvz5cOOkYGns=
 github.com/ysmood/goob v0.4.0 h1:HsxXhyLBeGzWXnqVKtmT9qM7EuVs/XOgkX7T6r1o1AQ=

pkg/attestation/signer/signer.go

@@ -35,8 +35,8 @@ type Opts struct {
 type SignServerOpts struct {
 	// CA certificate for TLS connection
 	CAPath string
-	// (optional) Client cert for mutual TLS authentication
-	AuthClientCertPath string
+	// (optional) Client cert and passphrase for mutual TLS authentication
+	AuthClientCertPath, AuthClientCertPass string
 }
 
 // GetSigner creates a new Signer based on input parameters
@@ -54,7 +54,8 @@ func GetSigner(keyPath string, logger zerolog.Logger, opts *Opts) (sigstoresigne
 			}
 			signer = signserver.NewSigner(host, worker,
 				signserver.WithCAPath(opts.SignServerOpts.CAPath),
-				signserver.WithClientCertPath(opts.SignServerOpts.AuthClientCertPath))
+				signserver.WithClientCertPath(opts.SignServerOpts.AuthClientCertPath),
+				signserver.WithClientCertPass(opts.SignServerOpts.AuthClientCertPass))
 		} else {
 			signer = cosign.NewSigner(keyPath, logger)
 		}

pkg/attestation/signer/signserver/signserver.go

@@ -20,6 +20,7 @@ import (
 	"crypto"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"io"
@@ -30,14 +31,15 @@ import (
 	"strings"
 
 	sigstoresigner "github.com/sigstore/sigstore/pkg/signature"
+	"github.com/youmark/pkcs8"
 )
 
 // ReferenceScheme is the scheme to be used when using signserver keys. Ex: signserver://host/worker
 const ReferenceScheme = "signserver"
 
 // Signer implements a signer for SignServer
 type Signer struct {
-	host, worker, caPath, clientCertPath string
+	host, worker, caPath, clientCertPath, clientCertPass string
 }
 
 type SignerOpt func(*Signer)
@@ -53,6 +55,11 @@ func WithClientCertPath(clientCertPath string) SignerOpt {
 		s.clientCertPath = clientCertPath
 	}
 }
+func WithClientCertPass(clientCertPass string) SignerOpt {
+	return func(s *Signer) {
+		s.clientCertPass = clientCertPass
+	}
+}
 
 var _ sigstoresigner.Signer = (*Signer)(nil)
 
@@ -122,10 +129,30 @@ func (s Signer) SignMessage(message io.Reader, _ ...sigstoresigner.SignOption) (
 	}
 
 	if s.clientCertPath != "" {
-		cert, err := tls.LoadX509KeyPair(s.clientCertPath, s.clientCertPath)
+		var cert tls.Certificate
+		pemBytes, err := os.ReadFile(s.clientCertPath)
 		if err != nil {
-			return nil, fmt.Errorf("failed to load client cert and key: %w", err)
+			return nil, fmt.Errorf("failed to read client cert file: %w", err)
 		}
+		if s.clientCertPass != "" {
+			cert, err = certFromPem(pemBytes)
+			if err != nil {
+				return nil, fmt.Errorf("failed to read client cert file: %w", err)
+			}
+			// decrypt the private key
+			key, err := privateKeyFromPem(pemBytes, s.clientCertPass)
+			if err != nil {
+				return nil, fmt.Errorf("failed to load private key: %w", err)
+			}
+			cert.PrivateKey = key
+		} else {
+			// Try with unencrypted PEM
+			cert, err = tls.LoadX509KeyPair(s.clientCertPath, s.clientCertPath)
+			if err != nil {
+				return nil, fmt.Errorf("failed to load client cert and key: %w", err)
+			}
+		}
+
 		if tlsConfig == nil {
 			tlsConfig = &tls.Config{MinVersion: tls.VersionTLS12}
 		}
@@ -165,3 +192,50 @@ func ParseKeyReference(keyPath string) (string, string, error) {
 	}
 	return parts[0], parts[1], nil
 }
+
+func certFromPem(pemBytes []byte) (tls.Certificate, error) {
+	var cert tls.Certificate
+	for {
+		var certDERBlock *pem.Block
+		certDERBlock, pemBytes = pem.Decode(pemBytes)
+		if certDERBlock == nil {
+			break
+		}
+		if certDERBlock.Type == "CERTIFICATE" {
+			cert.Certificate = append(cert.Certificate, certDERBlock.Bytes)
+		}
+	}
+	return cert, nil
+}
+
+func privateKeyFromPem(pemBytes []byte, password string) (any, error) {
+	var keyDERBlock *pem.Block
+	for {
+		keyDERBlock, pemBytes = pem.Decode(pemBytes)
+		if keyDERBlock == nil {
+			return nil, errors.New("failed to find any PEM data in key input")
+		}
+
+		if keyDERBlock.Type == "PRIVATE KEY" || strings.HasSuffix(keyDERBlock.Type, " PRIVATE KEY") {
+			break
+		}
+	}
+
+	// Try with RFC1423
+	var key any
+	derBytes, err := x509.DecryptPEMBlock(keyDERBlock, []byte(password))
+	if err != nil {
+		// try with PKCS#8 encryption (not supported by stdlib)
+		key, err = pkcs8.ParsePKCS8PrivateKey(keyDERBlock.Bytes, []byte(password))
+		if err != nil {
+			return nil, fmt.Errorf("failed to decrypt private key: %w", err)
+		}
+	} else {
+		key, err = x509.ParsePKCS8PrivateKey(derBytes)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse private key: %w", err)
+		}
+	}
+
+	return key, nil
+}