Add support for signing with Tink keyset

This allows deployers to securely sign in-memory while mitigating key exfiltration, since the key is encrypted at rest and loaded into memory at server startup. Requires providing a path to an encrypted Tink keyset and the Key Encryption Key, a KMS URI for decrypting the keyset. Heavily pulls from Fulcio's Tink implementation. Signed-off-by: Hayden Blauzvern <[email protected]>
sigstore · Sep 25, 2024 · 5cdea20 · 5cdea20
1 parent 2e4be8b
commit 5cdea20
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 4 deletions.
diff --git a/cmd/rekor-server/app/root.go b/cmd/rekor-server/app/root.go
@@ -98,9 +98,11 @@ func init() {
  rootCmd.PersistentFlags().String("rekor_server.address", "127.0.0.1", "Address to bind to")
 
  rootCmd.PersistentFlags().String("rekor_server.signer", "memory",
- `Rekor signer to use. Valid options are: [awskms://keyname, azurekms://keyname, gcpkms://keyname, hashivault://keyname, memory, <filename containing PEM-encoded private key>].
+ `Rekor signer to use. Valid options are: [awskms://keyname, azurekms://keyname, gcpkms://keyname, hashivault://keyname, memory, tink, <filename containing PEM-encoded private key>].
 Memory and file-based signers should only be used for testing.`)
  rootCmd.PersistentFlags().String("rekor_server.signer-passwd", "", "Password to decrypt signer private key")
+ rootCmd.PersistentFlags().String("rekor_server.tink_kek_uri", "", "Key encryption key for decrypting Tink keyset. Valid options are [aws-kms://keyname, gcp-kms://keyname]")
+ rootCmd.PersistentFlags().String("rekor_server.tink_keyset_path", "", "Path to encrypted Tink keyset, containing private key to sign log checkpoints")
 
  rootCmd.PersistentFlags().String("rekor_server.new_entry_publisher", "", "URL for pub/sub queue to send messages to when new entries are added to the log. Ignored if not set. Supported providers: [gcppubsub]")
  rootCmd.PersistentFlags().Bool("rekor_server.publish_events_protobuf", false, "Whether to publish events in Protobuf wire format. Applies to all enabled event types.")

diff --git a/go.mod b/go.mod
@@ -68,6 +68,9 @@ require (
  github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.8
  github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.8
  github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.8
+ github.com/tink-crypto/tink-go-awskms/v2 v2.1.0
+ github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0
+ github.com/tink-crypto/tink-go/v2 v2.2.0
  golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3
  google.golang.org/genproto/googleapis/rpc v0.0.0-20240823204242-4ba0660f739c
 )

diff --git a/go.sum b/go.sum
@@ -418,6 +418,12 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
+github.com/tink-crypto/tink-go-awskms/v2 v2.1.0 h1:N9UxlsOzu5mttdjhxkDLbzwtEecuXmlxZVo/ds7JKJI=
+github.com/tink-crypto/tink-go-awskms/v2 v2.1.0/go.mod h1:PxSp9GlOkKL9rlybW804uspnHuO9nbD98V/fDX4uSis=
+github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0 h1:3B9i6XBXNTRspfkTC0asN5W0K6GhOSgcujNiECNRNb0=
+github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0/go.mod h1:jY5YN2BqD/KSCHM9SqZPIpJNG/u3zwfLXHgws4x2IRw=
+github.com/tink-crypto/tink-go/v2 v2.2.0 h1:L2Da0F2Udh2agtKztdr69mV/KpnY3/lGTkMgLTVIXlA=
+github.com/tink-crypto/tink-go/v2 v2.2.0/go.mod h1:JJ6PomeNPF3cJpfWC0lgyTES6zpJILkAX0cJNwlS3xU=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=

diff --git a/pkg/api/api.go b/pkg/api/api.go
@@ -136,7 +136,10 @@ func NewAPI(treeID uint) (*API, error) {
  ranges.SetActive(tid)
 
  rekorSigner, err := signer.New(ctx, viper.GetString("rekor_server.signer"),
- viper.GetString("rekor_server.signer-passwd"))
+ viper.GetString("rekor_server.signer-passwd"),
+ viper.GetString("rekor_server.tink_kek_uri"),
+ viper.GetString("rekor_server.tink_keyset_path"),
+ )
  if err != nil {
  return nil, fmt.Errorf("getting new signer: %w", err)
  }

diff --git a/pkg/signer/memory_test.go b/pkg/signer/memory_test.go
@@ -24,7 +24,7 @@ import (
 func TestMemory(t *testing.T) {
  ctx := context.Background()
 
- m, err := New(ctx, "memory", "")
+ m, err := New(ctx, "memory", "", "", "")
  if err != nil {
  t.Fatalf("new memory: %v", err)
  }

diff --git a/pkg/signer/signer.go b/pkg/signer/signer.go
@@ -32,7 +32,7 @@ import (
  _ "github.com/sigstore/sigstore/pkg/signature/kms/hashivault"
 )
 
-func New(ctx context.Context, signer string, pass string) (signature.Signer, error) {
+func New(ctx context.Context, signer, pass, tinkKEKURI, tinkKeysetPath string) (signature.Signer, error) {
  switch {
  case slices.ContainsFunc(kms.SupportedProviders(),
  func(s string) bool {
@@ -41,6 +41,8 @@ func New(ctx context.Context, signer string, pass string) (signature.Signer, err
  return kms.Get(ctx, signer, crypto.SHA256)
  case signer == MemoryScheme:
  return NewMemory()
+ case signer == TinkScheme:
+ return NewTinkSigner(ctx, tinkKEKURI, tinkKeysetPath)
  default:
  return NewFile(signer, pass)
  }