Closed viccuad closed 1 year ago
I would prefer to start by creating a new waPC function that looks like that (pseudo code):
fn is_certificate_trusted(certificate: string, certificate_chain: []string) bool
This function can be added to the existing waPC v2/verify
namespace, but it could also be added to a v1/crypto
if wanted, because this is not strictly related with verification done via Sigstore. For example, someone could write a policy that validates the certificates used by Ingress services, to make sure they have been issued by a trusted CA.
The goal of this function is to be invoked by the "verify-image-signatures" policy inside of its own validate_settings
method.
That's indeed a better approach, I will then start with a v1/crypto
and a is_certificate_trusted()
.
Knowing that the cert is signed by the certificates in the chain needs usage of the
picky
crate, not completely written in Rust, and therefore can't be compiled to Wasm and used directly in the policies. Expose it as a host callback, to be performed via sigstore-rs in policy-server.Needed by https://github.com/kubewarden/verify-image-signatures/issues/39.
Acceptance criteria:
Expose a new Wapc host callback function,
v1/crypto
that accepts the certificate used to sign, and an optional certificate chain.With input:
And output:
If
cert_chain
is omitted or empty,cert
is therefore considered trusted.This new
v1/crypto
function overload will call new sigstore-rs functionality to validate the provided signature.Provide unit tests for this new callback. It is possible to create a certificate chain without frets with cfssl, for example.
Update https://docs.kubewarden.io/writing-policies/spec/host-capabilities/signature-verifier-policies with new callback.