-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Very bare bones Signer for Google Cloud KMS: Private keys live in KMS, signing happens in KMS (although payload hashing happens in Signer). This is not super usable without issue 447 but demonstrates the simplicity. Key creation is not supported at this point. A test is added with a few caveats: * dependencies are not added to requirements.txt: this would more than triple the size of requirements-pinned.txt... Not sure what the best path here is * Test only works on GitHub (because of the authentication), and only on branches within the upstream repo: not on PRs from forks * Test is run only once: it's a smoke test, not an exhaustive matrix test.
- Loading branch information
Showing
6 changed files
with
184 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
name: Run KMS tests | ||
|
||
on: | ||
push: | ||
workflow_dispatch: | ||
|
||
permissions: {} | ||
|
||
jobs: | ||
test-kms: | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
id-token: 'write' # for OIDC auth for GCP authentication | ||
|
||
steps: | ||
- name: Checkout securesystemslib | ||
uses: actions/checkout@v2 | ||
|
||
- name: Set up Python | ||
uses: actions/setup-python@v2 | ||
with: | ||
cache: 'pip' | ||
cache-dependency-path: 'requirements*.txt' | ||
|
||
- name: Install dependencies | ||
run: | | ||
python -m pip install --upgrade pip | ||
pip install --upgrade tox | ||
- name: Authenticate to Google Cloud | ||
uses: google-github-actions/auth@c4799db9111fba4461e9f9da8732e5057b394f72 | ||
with: | ||
token_format: access_token | ||
workload_identity_provider: projects/843741030650/locations/global/workloadIdentityPools/securesystemslib-tests/providers/securesystemslib-tests | ||
service_account: securesystemslib-tests@python-tuf-kms.iam.gserviceaccount.com | ||
|
||
- run: tox -e kms |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
google-cloud-kms |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
#!/usr/bin/env python | ||
|
||
""" | ||
This module confirms that signing using KMS keys works. | ||
The purpose is to do a smoke test, not to exhaustively test every possible | ||
key and environment combination. | ||
For Google Cloud (GCP), the requirements to successfully test are: | ||
* Google Cloud authentication details have to be available in the environment | ||
* The key defined in the test has to be available to the authenticated user | ||
NOTE: the filename is purposefully check_ rather than test_ so that tests are | ||
only run when explicitly invoked: The tests can only pass on Securesystemslib | ||
GitHub Action environment because of the above requirements. | ||
""" | ||
|
||
import unittest | ||
|
||
from securesystemslib import keys | ||
from securesystemslib.signer import GCPSigner | ||
|
||
|
||
class TestKMSKeys(unittest.TestCase): | ||
"""Test that KMS keys can be used to sign.""" | ||
|
||
def test_gcp(self): | ||
"""Test that GCP KMS key works for signing | ||
NOTE: The KMS account is setup to only accept requests from the | ||
Securesystemslib GitHub Action environment: test cannot pass elsewhere. | ||
In case of problems with KMS account, please file an issue and | ||
assign @jku. | ||
""" | ||
|
||
data = "data".encode("utf-8") | ||
|
||
pubkey = { | ||
"keyid": "abcd", | ||
"keytype": "ecdsa", | ||
"scheme": "ecdsa-sha2-nistp256", | ||
"keyval": { | ||
"public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/ptvrXYuUc2ZaKssHhtg/IKNbO1X\ncDWlbKqLNpaK62MKdOwDz1qlp5AGHZkTY9tO09iq1F16SvVot1BQ9FJ2dw==\n-----END PUBLIC KEY-----\n" | ||
}, | ||
} | ||
|
||
gcp_id = "projects/python-tuf-kms/locations/global/keyRings/securesystemslib-tests/cryptoKeys/ecdsa-sha2-nistp256/cryptoKeyVersions/1" | ||
hash_algo = "sha256" | ||
|
||
signer = GCPSigner(gcp_id, hash_algo, pubkey["keyid"]) | ||
sig = signer.sign(data) | ||
|
||
self.assertTrue(keys.verify_signature(pubkey, sig.to_dict(), data)) | ||
|
||
|
||
if __name__ == "__main__": | ||
unittest.main(verbosity=1, buffer=True) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters