Added --client-signing-algorithms flag (#1974)

* Add agile client signing algorithms support

Signed-off-by: Riccardo Schirone <[email protected]>

* pkg/api: refactor code and restrict checks to hashedrekord

Signed-off-by: Riccardo Schirone <[email protected]>

* remove jar changes

Signed-off-by: Riccardo Schirone <[email protected]>

* update go.mod

Signed-off-by: Riccardo Schirone <[email protected]>

* Add e2e tests for client-signing-algorithms server flag

Signed-off-by: Riccardo Schirone <[email protected]>

---------

Signed-off-by: Riccardo Schirone <[email protected]>

Author: ret2libc

.github/workflows/main.yml

@@ -227,6 +227,31 @@ jobs:
           name: Docker Compose logs
           path: /tmp/*docker-compose.log
 
+  client-algorithms-e2e:
+    runs-on: ubuntu-latest
+    needs: build
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Docker Build
+        run: docker compose build
+      - name: Extract version of Go to use
+        run: echo "GOVERSION=$(awk -F'[:@]' '/FROM golang/{print $2; exit}' Dockerfile)" >> $GITHUB_ENV
+      - uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+        with:
+          go-version: ${{ env.GOVERSION }}
+
+      - name: Test for supported client algorithms
+        run: ./tests/client-algos-e2e-test.sh
+      - name: Upload logs if they exist
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        if: failure()
+        with:
+          name: Docker Compose logs
+          path: /tmp/*docker-compose.log
+
   harness:
     runs-on: ubuntu-latest
     needs: build

cmd/rekor-server/app/root.go

@@ -20,11 +20,15 @@ import (
 	"net/http"
 	"net/http/pprof"
 	"os"
+	"sort"
+	"strings"
 	"time"
 
 	"github.com/go-chi/chi/middleware"
 	homedir "github.com/mitchellh/go-homedir"
+	"github.com/sigstore/rekor/pkg/api"
 	"github.com/sigstore/rekor/pkg/log"
+	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 
@@ -141,6 +145,18 @@ Memory and file-based signers should only be used for testing.`)
 	rootCmd.PersistentFlags().String("http-request-id-header-name", middleware.RequestIDHeader, "name of HTTP Request Header to use as request correlation ID")
 	rootCmd.PersistentFlags().String("trace-string-prefix", "", "if set, this will be used to prefix the 'trace' field when outputting structured logs")
 
+	keyAlgorithmTypes := []string{}
+	for _, keyAlgorithm := range api.AllowedClientSigningAlgorithms {
+		keyFlag, err := signature.FormatSignatureAlgorithmFlag(keyAlgorithm)
+		if err != nil {
+			panic(err)
+		}
+		keyAlgorithmTypes = append(keyAlgorithmTypes, keyFlag)
+	}
+	sort.Strings(keyAlgorithmTypes)
+	keyAlgorithmHelp := fmt.Sprintf("signing algorithm to use for signing/hashing (allowed %s)", strings.Join(keyAlgorithmTypes, ", "))
+	rootCmd.PersistentFlags().StringSlice("client-signing-algorithms", keyAlgorithmTypes, keyAlgorithmHelp)
+
 	if err := viper.BindPFlags(rootCmd.PersistentFlags()); err != nil {
 		log.Logger.Fatal(err)
 	}

go.mod

@@ -28,7 +28,7 @@ require (
 	github.com/rs/cors v1.11.1
 	github.com/sassoftware/relic v7.2.1+incompatible
 	github.com/secure-systems-lab/go-securesystemslib v0.9.0
-	github.com/sigstore/sigstore v1.8.12
+	github.com/sigstore/sigstore v1.8.13-0.20250204232249-4b62818325b7
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.6
 	github.com/spf13/viper v1.19.0

go.sum

@@ -413,8 +413,8 @@ github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
 github.com/sigstore/protobuf-specs v0.4.0 h1:yoZbdh0kZYKOSiVbYyA8J3f2wLh5aUk2SQB7LgAfIdU=
 github.com/sigstore/protobuf-specs v0.4.0/go.mod h1:FKW5NYhnnFQ/Vb9RKtQk91iYd0MKJ9AxyqInEwU6+OI=
-github.com/sigstore/sigstore v1.8.12 h1:S8xMVZbE2z9ZBuQUEG737pxdLjnbOIcFi5v9UFfkJFc=
-github.com/sigstore/sigstore v1.8.12/go.mod h1:+PYQAa8rfw0QdPpBcT+Gl3egKD9c+TUgAlF12H3Nmjo=
+github.com/sigstore/sigstore v1.8.13-0.20250204232249-4b62818325b7 h1:dKgngAj90pDWGKB/yBt/AmSvNFzLOPvYGfEgEKRQWc4=
+github.com/sigstore/sigstore v1.8.13-0.20250204232249-4b62818325b7/go.mod h1:2lXojNsjZjkqu1//FWxq7qUcPB8Lq1KsR5hc+GkcC/4=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.12 h1:EC3UmIaa7nV9sCgSpVevmvgvTYTkMqyrRbj5ojPp7tE=
 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.12/go.mod h1:aw60vs3crnQdM/DYH+yF2P0MVKtItwAX34nuaMrY7Lk=
 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.12 h1:FPpliDTywSy0woLHMAdmTSZ5IS/lVBZ0dY0I+2HmnSY=

pkg/api/api.go

@@ -34,6 +34,7 @@ import (
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 
+	v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
 	"github.com/sigstore/rekor/pkg/indexstorage"
 	"github.com/sigstore/rekor/pkg/log"
 	"github.com/sigstore/rekor/pkg/pubsub"
@@ -43,6 +44,7 @@ import (
 	"github.com/sigstore/rekor/pkg/trillianclient"
 	"github.com/sigstore/rekor/pkg/util"
 	"github.com/sigstore/rekor/pkg/witness"
+	"github.com/sigstore/sigstore/pkg/signature"
 
 	_ "github.com/sigstore/rekor/pkg/pubsub/gcp" // Load GCP pubsub implementation
 )
@@ -98,13 +100,26 @@ type API struct {
 	// Publishes notifications when new entries are added to the log. May be
 	// nil if no publisher is configured.
 	newEntryPublisher pubsub.Publisher
+	algorithmRegistry *signature.AlgorithmRegistryConfig
 	// Stores map of inactive tree IDs to checkpoints
 	// Inactive shards will always return the same checkpoint,
 	// so we can fetch the checkpoint on service startup to
 	// minimize signature generations
 	cachedCheckpoints map[int64]string
 }
 
+var AllowedClientSigningAlgorithms = []v1.PublicKeyDetails{
+	v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256,
+	v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256,
+	v1.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256,
+	v1.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256,
+	v1.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384,
+	v1.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512,
+	v1.PublicKeyDetails_PKIX_ED25519,
+	v1.PublicKeyDetails_PKIX_ED25519_PH,
+}
+var DefaultClientSigningAlgorithms = AllowedClientSigningAlgorithms
+
 func NewAPI(treeID uint) (*API, error) {
 	logRPCServer := fmt.Sprintf("%s:%d",
 		viper.GetString("trillian_log_server.address"),
@@ -128,6 +143,32 @@ func NewAPI(treeID uint) (*API, error) {
 	}
 	log.Logger.Infof("Starting Rekor server with active tree %v", tid)
 
+	algorithmsOption := viper.GetStringSlice("client-signing-algorithms")
+	var algorithms []v1.PublicKeyDetails
+	if algorithmsOption == nil {
+		algorithms = DefaultClientSigningAlgorithms
+	} else {
+		for _, a := range algorithmsOption {
+			algorithm, err := signature.ParseSignatureAlgorithmFlag(a)
+			if err != nil {
+				return nil, fmt.Errorf("parsing signature algorithm flag: %w", err)
+			}
+			algorithms = append(algorithms, algorithm)
+		}
+	}
+	algorithmsStr := make([]string, len(algorithms))
+	for i, a := range algorithms {
+		algorithmsStr[i], err = signature.FormatSignatureAlgorithmFlag(a)
+		if err != nil {
+			return nil, fmt.Errorf("formatting signature algorithm flag: %w", err)
+		}
+	}
+	algorithmRegistry, err := signature.NewAlgorithmRegistryConfig(algorithms)
+	if err != nil {
+		return nil, fmt.Errorf("getting algorithm registry: %w", err)
+	}
+	log.Logger.Infof("Allowed client signing algorithms: %v", algorithmsStr)
+
 	shardingConfig := viper.GetString("trillian_log_server.sharding_config")
 	signingConfig := signer.SigningConfig{
 		SigningSchemeOrKeyPath: viper.GetString("rekor_server.signer"),
@@ -179,6 +220,7 @@ func NewAPI(treeID uint) (*API, error) {
 		logRanges: ranges,
 		// Utility functionality not required for operation of the core service
 		newEntryPublisher: newEntryPublisher,
+		algorithmRegistry: algorithmRegistry,
 		cachedCheckpoints: cachedCheckpoints,
 	}, nil
 }

pkg/api/entries.go

@@ -18,12 +18,18 @@ package api
 import (
 	"bytes"
 	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/rsa"
+	"crypto/x509"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer"
@@ -43,11 +49,13 @@ import (
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/rekor/pkg/generated/restapi/operations/entries"
 	"github.com/sigstore/rekor/pkg/log"
+	"github.com/sigstore/rekor/pkg/pki/identity"
 	"github.com/sigstore/rekor/pkg/pubsub"
 	"github.com/sigstore/rekor/pkg/sharding"
 	"github.com/sigstore/rekor/pkg/tle"
 	"github.com/sigstore/rekor/pkg/trillianclient"
 	"github.com/sigstore/rekor/pkg/types"
+	hashedrekord "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
 	"github.com/sigstore/rekor/pkg/util"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/options"
@@ -192,12 +200,101 @@ func GetLogEntryByIndexHandler(params entries.GetLogEntryByIndexParams) middlewa
 	return entries.NewGetLogEntryByIndexOK().WithPayload(logEntry)
 }
 
+func getArtifactHashValue(entry types.EntryImpl) crypto.Hash {
+	artifactHash, err := entry.ArtifactHash()
+	if err != nil {
+		// Default to SHA256 if no artifact hash is specified
+		return crypto.SHA256
+	}
+
+	var artifactHashAlgorithm string
+	algoPosition := strings.Index(artifactHash, ":")
+	if algoPosition != -1 {
+		artifactHashAlgorithm = artifactHash[:algoPosition]
+	}
+	switch artifactHashAlgorithm {
+	case "sha256":
+		return crypto.SHA256
+	case "sha384":
+		return crypto.SHA384
+	case "sha512":
+		return crypto.SHA512
+	default:
+		return crypto.SHA256
+	}
+}
+
+func getPublicKey(identity identity.Identity) (crypto.PublicKey, error) {
+	switch identityCrypto := identity.Crypto.(type) {
+	case *x509.Certificate:
+		return identityCrypto.PublicKey, nil
+	case *rsa.PublicKey:
+		return identityCrypto, nil
+	case *ecdsa.PublicKey:
+		return identityCrypto, nil
+	case ed25519.PublicKey:
+		return identityCrypto, nil
+	default:
+		return nil, fmt.Errorf("unsupported public key type: %T", identityCrypto)
+	}
+}
+
+func checkEntryAlgorithms(entry types.EntryImpl) (bool, error) {
+	// Only check algorithms for hashedrekord entries
+	switch entry.(type) {
+	case *hashedrekord.V001Entry:
+		break
+	default:
+		return true, nil
+	}
+
+	verifiers, err := entry.Verifiers()
+	if err != nil {
+		return false, err
+	}
+
+	artifactHashValue := getArtifactHashValue(entry)
+
+	// Check if all the verifiers public keys (together with the
+	// artifactHashValue) are allowed according to the policy
+	for _, v := range verifiers {
+		identities, err := v.Identities()
+		if err != nil {
+			return false, err
+		}
+
+		for _, identity := range identities {
+			publicKey, err := getPublicKey(identity)
+			if err != nil {
+				return false, err
+			}
+			isPermitted, err := api.algorithmRegistry.IsAlgorithmPermitted(publicKey, artifactHashValue)
+			if err != nil {
+				return false, fmt.Errorf("checking if algorithm is permitted: %w", err)
+			}
+			if !isPermitted {
+				return false, nil
+			}
+		}
+	}
+	return true, nil
+}
+
 func createLogEntry(params entries.CreateLogEntryParams) (models.LogEntry, middleware.Responder) {
 	ctx := params.HTTPRequest.Context()
 	entry, err := types.CreateVersionedEntry(params.ProposedEntry)
 	if err != nil {
 		return nil, handleRekorAPIError(params, http.StatusBadRequest, err, fmt.Sprintf(validationError, err))
 	}
+
+	areEntryAlgorithmsAllowed, err := checkEntryAlgorithms(entry)
+	if err != nil {
+		return nil, handleRekorAPIError(params, http.StatusBadRequest, err, fmt.Sprintf(validationError, err))
+	}
+	if !areEntryAlgorithmsAllowed {
+		return nil, handleRekorAPIError(params, http.StatusBadRequest, errors.New("entry algorithms are not allowed"), fmt.Sprintf(validationError, "entry algorithms are not allowed"))
+	}
+
 	leaf, err := types.CanonicalizeEntry(ctx, entry)
 	if err != nil {
 		var validationErr *types.InputValidationError