fips: check provided tuf crypto for fips compliance

JasonPowr · JasonPowr · commit 387cd1dd3a56 · 2025-12-02T15:27:27.000Z
diff --git a/internal/controller/tuf/actions/resolve_keys.go b/internal/controller/tuf/actions/resolve_keys.go
@@ -10,10 +10,12 @@ import (
 	"github.com/securesign/operator/internal/action"
 	"github.com/securesign/operator/internal/constants"
 	"github.com/securesign/operator/internal/labels"
+	cryptoutil "github.com/securesign/operator/internal/utils/crypto"
 	k8sutils "github.com/securesign/operator/internal/utils/kubernetes"
 	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/meta"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 func NewResolveKeysAction() action.Action[*rhtasv1alpha1.Tuf] {
@@ -93,12 +95,19 @@ func (i resolveKeysAction) handleKey(ctx context.Context, instance *rhtasv1alpha
 			return nil, err
 		}
 		key.SecretRef = sks
-		return key, nil
 	case key.SecretRef != nil:
-		return key, nil
+		// continue to validation
 	default:
 		return nil, fmt.Errorf("unable to resolve %s key. Enable autodiscovery or set secret reference", key.Name)
 	}
+
+	if cryptoutil.FIPSEnabled {
+		if err := validateKey(i.Client, instance.Namespace, key); err != nil {
+			return nil, fmt.Errorf("key %s is not FIPS-compliant: %w", key.Name, err)
+		}
+	}
+
+	return key, nil
 }
 
 func (i resolveKeysAction) discoverSecret(ctx context.Context, namespace string, key *rhtasv1alpha1.TufKey) (*rhtasv1alpha1.SecretKeySelector, error) {
@@ -123,3 +132,23 @@ func (i resolveKeysAction) discoverSecret(ctx context.Context, namespace string,
 
 	return nil, errors.New("secret not found")
 }
+
+func validateKey(cli client.Client, namespace string, key *rhtasv1alpha1.TufKey) error {
+	if key.SecretRef == nil {
+		return errors.New("secret reference is not set")
+	}
+
+	data, err := k8sutils.GetSecretData(cli, namespace, key.SecretRef)
+	if err != nil {
+		return err
+	}
+
+	switch key.Name {
+	case "rekor.pub", "ctfe.pub":
+		return cryptoutil.ValidatePublicKeyPEM(data)
+	case "fulcio_v1.crt.pem", "tsa.certchain.pem":
+		return cryptoutil.ValidateCertificatePEM(data)
+	default:
+		return fmt.Errorf("unsupported key %q", key.Name)
+	}
+}
diff --git a/internal/controller/tuf/actions/resolve_keys_test.go b/internal/controller/tuf/actions/resolve_keys_test.go
@@ -2,14 +2,18 @@ package actions
 
 import (
 	"context"
+	"crypto/elliptic"
 	"testing"
 
 	"github.com/go-logr/logr"
 	. "github.com/onsi/gomega"
+	"github.com/onsi/gomega/gstruct"
 	"github.com/securesign/operator/api/v1alpha1"
 	common "github.com/securesign/operator/internal/action"
 	"github.com/securesign/operator/internal/constants"
 	"github.com/securesign/operator/internal/labels"
+	cryptoutil "github.com/securesign/operator/internal/utils/crypto"
+	fipsTest "github.com/securesign/operator/internal/utils/crypto/test"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -171,3 +175,59 @@ func TestKeyDelete(t *testing.T) {
 
 	g.Expect(meta.IsStatusConditionTrue(instance.Status.Conditions, "ctfe.pub")).To(BeTrue())
 }
+
+func TestKeyValidationFailsInFIPS(t *testing.T) {
+	g := NewWithT(t)
+	cryptoutil.FIPSEnabled = true
+	t.Cleanup(func() {
+		cryptoutil.FIPSEnabled = false
+	})
+
+	invalidPub, _, _, err := fipsTest.GenerateECCertificatePEM(false, "", elliptic.P224())
+	g.Expect(err).ToNot(HaveOccurred())
+
+	g.Expect(testAction.Client.Create(testContext, &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "invalid",
+			Namespace: t.Name(),
+		},
+		Data: map[string][]byte{"key": invalidPub},
+	})).To(Succeed())
+
+	instance := &v1alpha1.Tuf{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "tuf",
+			Namespace: t.Name(),
+		},
+		Spec: v1alpha1.TufSpec{
+			Keys: []v1alpha1.TufKey{
+				{
+					Name: "rekor.pub",
+					SecretRef: &v1alpha1.SecretKeySelector{
+						LocalObjectReference: v1alpha1.LocalObjectReference{
+							Name: "invalid",
+						},
+						Key: "key",
+					},
+				},
+			},
+		},
+		Status: v1alpha1.TufStatus{
+			Conditions: []metav1.Condition{{
+				Type:   constants.Ready,
+				Reason: constants.Pending,
+				Status: metav1.ConditionFalse,
+			}},
+		},
+	}
+
+	testAction.Handle(testContext, instance)
+
+	g.Expect(meta.IsStatusConditionFalse(instance.Status.Conditions, "rekor.pub")).To(BeTrue())
+	g.Expect(meta.FindStatusCondition(instance.Status.Conditions, "rekor.pub")).To(
+		gstruct.PointTo(SatisfyAll(
+			HaveField("Reason", Equal(constants.Failure)),
+			HaveField("Message", ContainSubstring("FIPS")),
+		)),
+	)
+}
diff --git a/test/e2e/fips/tuf_test.go b/test/e2e/fips/tuf_test.go
