diff --git a/cmd/rekor-server/app/root.go b/cmd/rekor-server/app/root.go index cebc28d2a..daae2e5db 100644 --- a/cmd/rekor-server/app/root.go +++ b/cmd/rekor-server/app/root.go @@ -117,6 +117,8 @@ Memory and file-based signers should only be used for testing.`) rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password") rootCmd.PersistentFlags().Bool("redis_server.enable-tls", false, "Whether to enable TLS verification when connecting to Redis endpoint") rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification when connecting to Redis endpoint, only applicable when 'redis_server.enable-tls' is set to 'true'") + rootCmd.PersistentFlags().String("tls-ca-cert", "", "Certificate file to use for secure connections with Trillian server") + rootCmd.PersistentFlags().Bool("trillian_log_server.tls", false, "Use system trust store for TLS") rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage") rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket") diff --git a/docker-compose.yml b/docker-compose.yml index 91e7ccff7..de953770d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -75,7 +75,12 @@ services: "--http_endpoint=0.0.0.0:8091", "--force_master", "--alsologtostderr", + "--tls_cert_file=/etc/tls/tls.crt", + "--tls_key_file=/etc/tls/tls.key" ] + volumes: + - /tests/sharding-testdata/tls.crt:/etc/tls/tls.crt + - /tests/sharding-testdata/tls.key:/etc/tls/tls.key restart: always # retry while mysql is starting up ports: - "8092:8091" @@ -102,11 +107,13 @@ services: "--enable_stable_checkpoint", "--search_index.storage_provider=mysql", "--search_index.mysql.dsn=test:zaphod@tcp(mysql:3306)/test", + "--tls_ca_cert=/etc/tls/ca.crt" # Uncomment this for production logging # "--log_type=prod", ] volumes: - "/var/run/attestations:/var/run/attestations:z" + - /tests/sharding-testdata/ca.crt:/etc/tls/ca.crt restart: always # keep the server running ports: - "3000:3000" diff --git a/pkg/api/api.go b/pkg/api/api.go index aba59b25e..63983030a 100644 --- a/pkg/api/api.go +++ b/pkg/api/api.go @@ -22,12 +22,15 @@ import ( "crypto/x509" "encoding/hex" "fmt" + "os" + "path/filepath" "github.com/google/trillian" "github.com/redis/go-redis/v9" "github.com/spf13/viper" "golang.org/x/exp/slices" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" "google.golang.org/grpc/credentials/insecure" "github.com/sigstore/rekor/pkg/indexstorage" @@ -47,7 +50,32 @@ import ( func dial(rpcServer string) (*grpc.ClientConn, error) { // Set up and test connection to rpc server - creds := insecure.NewCredentials() + var creds credentials.TransportCredentials + tlsCACertFile := viper.GetString("tls_ca_cert") + useSystemTrustStore := viper.GetBool("trillian_log_server.tls") + + if useSystemTrustStore { + creds = credentials.NewTLS(&tls.Config{ + ServerName: rpcServer, + MinVersion: tls.VersionTLS12, + }) + } else if tlsCACertFile == "" { + creds = insecure.NewCredentials() + } else { + tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCACertFile)) + if err != nil { + log.Logger.Fatalf("Failed to load tls_ca_cert:", err) + } + certPool := x509.NewCertPool() + if !certPool.AppendCertsFromPEM(tlsCaCert) { + return nil, fmt.Errorf("failed to append CA certificate to pool") + } + creds = credentials.NewTLS(&tls.Config{ + ServerName: rpcServer, + RootCAs: certPool, + MinVersion: tls.VersionTLS12, + }) + } conn, err := grpc.NewClient(rpcServer, grpc.WithTransportCredentials(creds)) if err != nil { log.Logger.Fatalf("Failed to connect to RPC server:", err) diff --git a/tests/sharding-testdata/ca.crt b/tests/sharding-testdata/ca.crt new file mode 100644 index 000000000..982656da4 --- /dev/null +++ b/tests/sharding-testdata/ca.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDATCCAemgAwIBAgIUXVkFgPS1jbBHhXk2M3NKTfOkTeIwDQYJKoZIhvcNAQEL +BQAwEDEOMAwGA1UEAwwFTXkgQ0EwHhcNMjQwNzAyMTU0MDQwWhcNMjUwNzAyMTU0 +MDQwWjAQMQ4wDAYDVQQDDAVNeSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAOM3859H+Kod32SgW2zHN3KN3+r3fXVnkpA+j0CR0Vq1YEcexsQIaXJx +hXUXK4EXsa6lnzqqquCo5OmpTs1ZUWyFdlrFSwes2RFLOJ/QIVGSyVirtYOpgFdo +F/cmfI66UNeH1UpAsf2tTjcDmE5A8aAaoyQllIUZ8QqhDjNy3i6zPAf+cW9+wq8w +nk8M9blcXg0v6gjIA0e6XnkHyNmUep3bUbpQ9JbtD901/hbmM/uYu0VoyaxhTwha +2zRqmkK1EOqTvsoI2g3WSnTLL+H9bWdJg1HSYA/MQCkNOpOWO3SRIxNKDysYRMoW +eJigHE5/Fcs0q7zkIZXfJkFXINQVglMCAwEAAaNTMFEwHQYDVR0OBBYEFJdAxaB8 +JkZN9z/fT5Bgn5wnK830MB8GA1UdIwQYMBaAFJdAxaB8JkZN9z/fT5Bgn5wnK830 +MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADbQ7wkSoLyhcbc7 +du7bLTFk7xTg0WV6IiV0ZmBxGVvRW6kjUA1diH+Sr1Gy4Z+HmVhT28zFVVKNataE +g53n9wJigH7FwMVqNrZHD6V7JXc2il+lO9ICvGnH4xYUQBjNHu99g10WAeA706M7 +IlbGIsFc+tWcplpFW2H/UIIio3fLq1HCRe7WbbQHsbZ5OkoeUhu9YCvslqSa0w/f +t7d8oDZltquH7zkiZoqY6hNZTJYy2+5HSjx3n/QumKuzuhhEjGuG8LX8dNrL4k6y +nqVf3PBWlMeK+jwwa9AXcqcL+5a/npeM5Z7UOA6W/I+zVop6OZK7KohKeDIErC/t +Tn8+2Co= +-----END CERTIFICATE----- diff --git a/tests/sharding-testdata/tls.crt b/tests/sharding-testdata/tls.crt new file mode 100644 index 000000000..518c80d78 --- /dev/null +++ b/tests/sharding-testdata/tls.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/jCCAeagAwIBAgIUXBONalvsgMSSss6Ac9F+Qiy0RoMwDQYJKoZIhvcNAQEL +BQAwEDEOMAwGA1UEAwwFTXkgQ0EwHhcNMjQwNzAyMTU0MDQwWhcNMjUwNzAyMTU0 +MDQwWjAeMRwwGgYDVQQDDBN0cmlsbGlhbi1sb2ctc2VydmVyMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuSy6h6wZ4C8HEmeZMnqwYviJiTcjxXArZaPx +ytxrvUOKviyA7oRhepOtSwpuUGh38+yrW6g9fv0c88DLktOwsNGSNZx9Gn8P0cLO +PO1qzXI0zxNwzaTvywHEpUHIynrEILwy5orAcuP004P3Wsx4k2vhe5YdWZBdcw2V +MFbJxOcHVXcrgENsFJkn6M6IuJ3yx+YClaRmYdp8C2jn3uHl4XQt+33kPPiWVj6l +lhW2vkpTzvBLQKwAav6ZCckJGCzUI7deYcZGEkSS0KYfzhH7oODZaLFaKywUHM61 +uqZ5N6e/HiNNpQdf5tI1Zqf6Aoa5YQSBvY9oynbCYoMdgUwOnQIDAQABo0IwQDAd +BgNVHQ4EFgQUKR3YSbyQ7sBy5ekiKbOsOKR07CUwHwYDVR0jBBgwFoAUl0DFoHwm +Rk33P99PkGCfnCcrzfQwDQYJKoZIhvcNAQELBQADggEBAEx7hg6YEh9r76afDGg/ +Wm/7cru3jyHKrJOogIdvYqmyCXVTez4ZanHKAfjqv8V/WCeW+ZXqjQsKwMy4napx +GGc1JxvLrF5dO0LS0jRT32HD/qAV14HNV7anN0YotbxSenAJlHG7H6uxfHvo1k/R +rte2JKUF0ut3P0cLIdnWGW6fIpB2lnmXFnb6FBtxRZFxFzsV+TBLX+1L0xOrFuvq +lI6Fu4xav5UwJs1ZMf3LhpGVLk5jmvUhnuWXwMYkcWqcCV9R0NKk49xyZ3uU2KYN +crCHIepUbe/efDWBZMexNDqOKMtedoE5gWP4VjYV+AK4e160zig9sJw6q6KCPdie +y3E= +-----END CERTIFICATE----- diff --git a/tests/sharding-testdata/tls.key b/tests/sharding-testdata/tls.key new file mode 100644 index 000000000..10595c5db --- /dev/null +++ b/tests/sharding-testdata/tls.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5LLqHrBngLwcS +Z5kyerBi+ImJNyPFcCtlo/HK3Gu9Q4q+LIDuhGF6k61LCm5QaHfz7KtbqD1+/Rzz +wMuS07Cw0ZI1nH0afw/Rws487WrNcjTPE3DNpO/LAcSlQcjKesQgvDLmisBy4/TT +g/dazHiTa+F7lh1ZkF1zDZUwVsnE5wdVdyuAQ2wUmSfozoi4nfLH5gKVpGZh2nwL +aOfe4eXhdC37feQ8+JZWPqWWFba+SlPO8EtArABq/pkJyQkYLNQjt15hxkYSRJLQ +ph/OEfug4NlosVorLBQczrW6pnk3p78eI02lB1/m0jVmp/oChrlhBIG9j2jKdsJi +gx2BTA6dAgMBAAECggEAJGMx91GeFxPeraLuc4Ew8o3Yxv4vGQ/o8zTjYWPthvhE +BglMP7KDTjlBQx72XPYeZjAiXyVBClh2LT78MerHzIMuGjtZSRDhXKyNZuMXiu4P +iwaMsthfp5J+ICQ8bu9vZWheDzgCR8FcPYkv3OeTpRJ8sVKnC0/HUUHAyIoxZW/S +9PAIAbfHq2Uiq9LdBpUkwlDiOBh4lJBv7dlCR0xves4YpOc5KiVyKf4JYB78lpRs +9Np3ag3hoIgYQniIPF9iQXYp2nPGtzzlZpz/NSLzK4I70fEnWG0kj8sT0ddeLHgK +YVvrnynO6SieqLkaY34pC/LlJLOGCbTn5moKXQouwQKBgQD/TPGDh+FZsHV/WwQC +9/p8578ST+kGEBDMx9BP4IDI09nLq/x5/iE8r8gYS78nGtaIO5WlhZxVLwHBjuj3 +23UE9Y0IdSHKuEI/ST8c0r23rfTJZ5L4OG7BtMlJuOqJwzL68qc/Sz5PUveGdtgz +1778yv1vlMuMGUdQhX3AL/aZQQKBgQC5rpofRBbsajI31CzVoBL/LAzeA7EdjpIm +Ng9gAn/4I5UJqFSF6ffFUsA22H8wQ+QoV8jocUV57/udB+6ehn1YGfSeI/3WVIPz +edZdT9bhfJZjwkNx/la/yzyjGLwZXKrRoSyShWPm1qAcLVXTzUVZFQhJYnvgmoZl +Ze4gQ6viXQKBgGkI6/hUaCdxTPYHqR/bjEflRJwxGkrvQyotLwwd7n4xgtKjwK0k +G+KO44DzcQKSrR7BfPDrhoUZYNyUgk6vEHbo24xWPH/dzQuig//EyF8Qh7xxC2tq +NE8npQTaukvRbmEGgj6tI0aZeNLuhEbYBXCVxy0oB5JtOATt1u3CDe/BAoGAa7hD +aUgTFGw3XfQVXolS+/4OKO5zXfZMCybpnIVWwBnEaKni/x1QxITRRgArKVD5l/31 +bAPqjmcOzXbAk+7p4KaOJwAyTpkRQ7q3BcM/oeipRo54mjU3FmVNdEDxPrVn091x +Aj+oSU7R7AbQ9+LqDFgLSqd7vj1nIoQTtVwM53ECgYEA9GXX/vIxSKIb8pDhvaqH +GkCPeRo+gLNAzWdtz97wRqH+d6zIhcO36xExmKpwbzT87lJQYSIyJhP/lC/o/Gaj +R5Oj1rnmQd92j0QKVF4kN6qf2wMqj5RrTRtEWBZGV34iKTa2zF09++79JOoKXvV4 +kZPEpMMHPqDmvcPzWBaBI/U= +-----END PRIVATE KEY-----