search

kubewarden / policy-evaluator

Crate used by Kubewarden that is able to evaluate policies with a given input, request to evaluate and settings.
Apache License 2.0
15 stars 9 forks source link

Expose new host callback `v1/crypto` function that verifies via certificate and certificate chain #200

Closed viccuad closed 1 year ago

viccuad commented 1 year ago

Knowing that the cert is signed by the certificates in the chain needs usage of the picky crate, not completely written in Rust, and therefore can't be compiled to Wasm and used directly in the policies. Expose it as a host callback, to be performed via sigstore-rs in policy-server.

Needed by https://github.com/kubewarden/verify-image-signatures/issues/39.

Acceptance criteria:

Expose a new Wapc host callback function, v1/crypto that accepts the certificate used to sign, and an optional certificate chain.

With input:

{
  type: "SigstoreCertChainVerify",

  // **mandatory**: image URI to verify
  "image": string,
  // **mandatory**: PEM-encoded certificate containing the public part of the key used to sign
  "cert": string
  // optional
  "cert_chain": [
    // list of PEM-encoded certs, ordered by trust usage (intermediate first, root last)
    string
    ],
  // optional:
  "annotations": [
      // signature annotations
      {
        "key": string,
        "value": string
      },
    ]
}

And output:

{
   // true if image verified
   "is_trusted": boolean,
   // digest of verified image
   "digest": string
}

If cert_chain is omitted or empty, cert is therefore considered trusted.

This new v1/crypto function overload will call new sigstore-rs functionality to validate the provided signature.

Provide unit tests for this new callback. It is possible to create a certificate chain without frets with cfssl, for example.

Update https://docs.kubewarden.io/writing-policies/spec/host-capabilities/signature-verifier-policies with new callback.

flavio commented 1 year ago

I would prefer to start by creating a new waPC function that looks like that (pseudo code):

fn is_certificate_trusted(certificate: string, certificate_chain: []string) bool

This function can be added to the existing waPC v2/verify namespace, but it could also be added to a v1/crypto if wanted, because this is not strictly related with verification done via Sigstore. For example, someone could write a policy that validates the certificates used by Ingress services, to make sure they have been issued by a trusted CA.

The goal of this function is to be invoked by the "verify-image-signatures" policy inside of its own validate_settings method.

viccuad commented 1 year ago

That's indeed a better approach, I will then start with a v1/crypto and a is_certificate_trusted().