Support to test AWS KMS signing using Localstack

in-toto / go-witness

Go implementation of witness

Apache License 2.0

16 stars 16 forks source link

Support to test AWS KMS signing using Localstack #288

Open semmet95 opened 2 weeks ago

semmet95 commented 2 weeks ago

I have been trying to setup acceptance tests for aws kms signing but I'm running into,

failed to verify certificate: x509: cannot validate certificate

error for the localstack endpoint. Digging a bit deeper I found that if I hardcode a.options.insecureSkipVerify to true here the signing operation works fine. I also found this function that returns an Option which can set the insecureSkipVerify property to false. But I couldn't figure out how to use it when creating a SignerProvider or a SignerVerifier.
Can someone please help me with configuring this property 🙏 Thanks.

ChaosInTheCRD commented 1 week ago

Hi @semmet95!

Thank you for raising this issue. I think I understand the problem you are facing, as you said you're writing acceptance tests, are these with the intention of submitting as a PR to the repository? That sounds great if so!

The way the options for KMS providers are wired up is a little tricksy, apologies for this. You will however find some example logic of the KMS provider options getting initialized at https://github.com/in-toto/witness/blob/main/cmd/keyloader.go#L50.

There is a little bit of unwanted behaviour being experienced with KMS (e.g., https://github.com/in-toto/witness/issues/427), so it might be worth noting that I have just submitted a PR to make some changes to how these options are passed around (see https://github.com/in-toto/go-witness/pull/292).

If you want any more specific help with your work, feel free to get in contact with me on the CNCF Slack (Thomas Philip Meadows

ChaosInTheCRD commented 1 week ago

It's also probably worth noting that I will test using Localstack at some point soon in the next day or two, and will report any issues found here.

semmet95 commented 1 day ago

Hey @ChaosInTheCRD

My issue was specific to setting the insecureSkipVerify property to true and I somehow managed to find a way to do that (definitely not elegant but it seems to work 🥹). The loadSigners link you shared helped and I figured out that I could call the option setter function for the "kms-aws" SignerProviderOption, where the configurer name is insecure-skip-verify, providing true as the value for the flag. Here's how I did it.

for _, configurer := range witnessProvider.Options["kms-aws"].Init() {
    if(configurer.Name() == "insecure-skip-verify") {
        optT := configurer.(*registry.ConfigOption[signer.SignerProvider, bool])
        optT.Setter()(witnessProvider, true)
    }
}

As for submitting a PR to the repo, I'm all for that but I'm not sure where to add what I tested. Maybe in the docs as an example?