search

TykTechnologies / tyk

Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols
Other
9.57k stars 1.07k forks source link

[TT-6515]Golang plugins signing doesn't support key rotation #4292

Open patriziobrunops opened 2 years ago

patriziobrunops commented 2 years ago

Artifact signing is a pillar of supply chain protection. For it to be reliable, key rotation is a main requirement, in order to protect the supply chain from the compromise of the signing key.

With current Tyk implementation, the public verification key is statically and centrally configured in tyk.conf, while plugin bundles are signed and then referenced in the ApiDefinition. In addition to this, the plugin's manifest doesn't contain any reference to the signing key. It's just assumed that all the bundles must be signed with the same key-pair used by tyk.conf.

The key rotation process consists of signing with the new key and releasing new plugin bundles, and changing tyk.conf to point to the new key. This disconnect leads to complicated and brittle key rotation operations and potential down-times that affect business operations.

Describe the solution you'd like Versioning the sign/verify key-pair would solve the problem by allowing Tyk to use multiple verification keys. When a key rotation needs to happen, the new key can be added to Tyk's configuration, while new plugin bundles get released. Once all the plugins have been signed with the new key, the old key can be invalidated/unloaded.

From the implementation standpoint, Tyk should be able to load multiple keys and assign an id to each of them. The plugin-bundle's manifest should contain the id of the key used to sign it.

Additional context

  1. Make public_key_path in tyk.conf point to a dir instead of file: 
    {
     ...
    "enable_bundle_downloader": true,
    "bundle_base_url": "http://localhost:8083/",
    "public_key_path": "/opt/tyk-gateway/keys",
     ...
}
  2. Fill the the path with files having the key-id as name and containing the verification key: 
    # ls -l /opt/tyk-gateway/keys/
total 412
-rw-r--r--. 1 root root 118272 Sep  8 11:33 20220509-test-plugins.pem
-rw-r--r--. 1 root root 169984 Sep  8 11:33 20220712-records-verification.pem
-rw-r--r--. 1 root root 131072 Sep  8 11:33 20220908-payments-auth.pem
  3. Modify the plugin-bundle manifests to specify the id of the key used to sign the bundle: 
    {
  "file_list": [
    "paymentsauth-v0.1.0.so"
  ],
  "custom_middleware": {
    "pre": [],
    "post": [],
    "response": [
      {
        "name": "RemoveForbiddenHeaders",
        "path": "paymentsauth-v0.1.0.so"
      }
    ],
    "auth_check": {
      "name": "AuthorizePaymentRequest",
      "path": "paymentsauth-v0.1.0.so"
    },
    "driver": "goplugin"
  },
  "checksum": "9ef53c049644b817aad9a34ecb840c49",
  "signature": "gw/S9ruJoQkfYRTADesTfw5kL4G2h3KMDwCnU59MCTwKq90+1RKSdI8xv9o6fWdcOg+7xWZymtVOfNVJZpYqHOHjOosNDJfRrEzPMm/ATD32sou7gKOR4Qfcf3tbgye4e2oi9YWJFM2F0SE39PEgKhfTtteq9lBRq3ovPmqO66VtF4ZRLrbObOcIUhf6IZ9aGpXKe/ZKQFG7ahhVhWxPvgklA5pyAwRXoHwY6YGdfMUC/koQ9BSWfk20WoILAFUBW6++Z6c+E0qUdr4lehdFdHuYteBFatHF2U06u6ZJ9k7xfMk12ZOPNCfnpuVX9kMy3aaaNbdHPMMuIrRN3yIaNQ=="
  "key_id": "20220908-payments-auth"
}
OldStubbsy commented 2 years ago

Hi,

Thanks for pointing this issue out. An internal ticket has been raised for this and will be addressed in due course.

andyo-tyk commented 1 year ago

I'm sorry I don't have any update on when we will be able to prioritise this, I just wanted to let you know that it's not forgotten and does sit in the list of new features that we aim to deliver as part of the evolution of Tyk.