Expose new host callback `v1/crypto` function that verifies via certificate and certificate chain

Question

Expose new host callback `v1/crypto` function that verifies via certificate and certificate chain

Closed this issue 2 years ago · 2 comments

Knowing that the cert is signed by the certificates in the chain needs usage of the picky crate, not completely written in Rust, and therefore can't be compiled to Wasm and used directly in the policies. Expose it as a host callback, to be performed via sigstore-rs in policy-server.

Needed by kubewarden/verify-image-signatures#39.

Acceptance criteria:

Expose a new Wapc host callback function, v1/crypto that accepts the certificate used to sign, and an optional certificate chain.

With input:

{
  type: "SigstoreCertChainVerify",

  // **mandatory**: image URI to verify
  "image": string,
  // **mandatory**: PEM-encoded certificate containing the public part of the key used to sign
  "cert": string
  // optional
  "cert_chain": [
    // list of PEM-encoded certs, ordered by trust usage (intermediate first, root last)
    string
    ],
  // optional:
  "annotations": [
      // signature annotations
      {
        "key": string,
        "value": string
      },
    ]
}

And output:

{
   // true if image verified
   "is_trusted": boolean,
   // digest of verified image
   "digest": string
}

If cert_chain is omitted or empty, cert is therefore considered trusted.

This new v1/crypto function overload will call new sigstore-rs functionality to validate the provided signature.

Provide unit tests for this new callback. It is possible to create a certificate chain without frets with cfssl, for example.

Update https://docs.kubewarden.io/writing-policies/spec/host-capabilities/signature-verifier-policies with new callback.

Answer 1 · 2022-11-08T16:48:54.000Z

I would prefer to start by creating a new waPC function that looks like that (pseudo code):

fn is_certificate_trusted(certificate: string, certificate_chain: []string) bool

All the certificates are expected to be PEM encoded.
the certificate chain contains all the intermediate certificate first, and then the root CA
The function returns true if the certificate has been issued by the root CA or by an intermediate CA that has been issued by the root CA

This function can be added to the existing waPC v2/verify namespace, but it could also be added to a v1/crypto if wanted, because this is not strictly related with verification done via Sigstore. For example, someone could write a policy that validates the certificates used by Ingress services, to make sure they have been issued by a trusted CA.

The goal of this function is to be invoked by the "verify-image-signatures" policy inside of its own validate_settings method.

Answer 2 · 2022-11-09T08:40:25.000Z

That's indeed a better approach, I will then start with a v1/crypto and a is_certificate_trusted().