fips: check provided rekor crypto for fips compliance

Author: JasonPowr

internal/controller/rekor/actions/backfillRedis/backfill_redis_cronjob.go

@@ -15,6 +15,7 @@ import (
 	"github.com/securesign/operator/internal/controller/rekor/actions/searchIndex/redis"
 	"github.com/securesign/operator/internal/images"
 	"github.com/securesign/operator/internal/labels"
+	cryptoutil "github.com/securesign/operator/internal/utils/crypto"
 	"github.com/securesign/operator/internal/utils/kubernetes"
 	"github.com/securesign/operator/internal/utils/kubernetes/ensure"
 	tlsensure "github.com/securesign/operator/internal/utils/tls/ensure"
@@ -62,6 +63,18 @@ func (i backfillRedisCronJob) Handle(ctx context.Context, instance *rhtasv1alpha
 
 	labels := labels.For(actions.BackfillRedisCronJobName, actions.BackfillRedisCronJobName, instance.Name)
 
+	if cryptoutil.FIPSEnabled {
+		if err := cryptoutil.ValidateTrustedCA(ctx, i.Client, instance.Namespace, instance.GetTrustedCA()); err != nil {
+			meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+				Type:    actions.RedisCondition,
+				Status:  metav1.ConditionFalse,
+				Reason:  constants.Failure,
+				Message: err.Error(),
+			})
+			return i.StatusUpdate(ctx, instance)
+		}
+	}
+
 	if result, err = kubernetes.CreateOrUpdate(ctx, i.Client,
 		&batchv1.CronJob{
 			ObjectMeta: metav1.ObjectMeta{

internal/controller/rekor/actions/searchIndex/redis/actions/deployment.go

@@ -13,6 +13,7 @@ import (
 	"github.com/securesign/operator/internal/images"
 	"github.com/securesign/operator/internal/labels"
 	cutils "github.com/securesign/operator/internal/utils"
+	cryptoutil "github.com/securesign/operator/internal/utils/crypto"
 	"github.com/securesign/operator/internal/utils/kubernetes"
 	"github.com/securesign/operator/internal/utils/kubernetes/ensure"
 	"github.com/securesign/operator/internal/utils/kubernetes/ensure/deployment"
@@ -60,6 +61,18 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor)
 		return i.Error(ctx, fmt.Errorf("failed to get CA path: %w", err), instance)
 	}
 
+	if cryptoutil.FIPSEnabled {
+		if err := cryptoutil.ValidateTrustedCA(ctx, i.Client, instance.Namespace, instance.GetTrustedCA()); err != nil {
+			meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+				Type:    actions.RedisCondition,
+				Status:  metav1.ConditionFalse,
+				Reason:  constants.Failure,
+				Message: err.Error(),
+			})
+			return i.StatusUpdate(ctx, instance)
+		}
+	}
+
 	if result, err = kubernetes.CreateOrUpdate(ctx, i.Client,
 		&v1.Deployment{
 			ObjectMeta: metav1.ObjectMeta{

internal/controller/rekor/actions/searchIndex/redis/actions/tls.go

@@ -8,6 +8,7 @@ import (
 	"github.com/securesign/operator/internal/action"
 	"github.com/securesign/operator/internal/constants"
 	actions2 "github.com/securesign/operator/internal/controller/rekor/actions"
+	cryptoutil "github.com/securesign/operator/internal/utils/crypto"
 	"github.com/securesign/operator/internal/utils/kubernetes"
 	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -47,6 +48,18 @@ func (i tlsAction) CanHandle(_ context.Context, instance *rhtasv1alpha1.Rekor) b
 func (i tlsAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor) *action.Result {
 	switch {
 	case specTLS(instance).CertRef != nil:
+		if cryptoutil.FIPSEnabled {
+			if err := cryptoutil.ValidateTLS(i.Client, instance.Namespace, specTLS(instance)); err != nil {
+				meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+					Type:    actions2.RedisCondition,
+					Status:  metav1.ConditionFalse,
+					Reason:  constants.Failure,
+					Message: fmt.Sprintf("TLS material is not FIPS-compliant: %v", err),
+				})
+				i.StatusUpdate(ctx, instance)
+				return i.Requeue()
+			}
+		}
 		setStatusTLS(instance, specTLS(instance))
 	case kubernetes.IsOpenShift():
 		setStatusTLS(instance, rhtasv1alpha1.TLS{

internal/controller/rekor/actions/server/deployment.go

@@ -16,6 +16,7 @@ import (
 	"github.com/securesign/operator/internal/images"
 	"github.com/securesign/operator/internal/labels"
 	utils2 "github.com/securesign/operator/internal/utils"
+	cryptoutil "github.com/securesign/operator/internal/utils/crypto"
 	"github.com/securesign/operator/internal/utils/kubernetes"
 	"github.com/securesign/operator/internal/utils/kubernetes/ensure"
 	"github.com/securesign/operator/internal/utils/kubernetes/ensure/deployment"
@@ -66,6 +67,18 @@ func (i deployAction) Handle(ctx context.Context, instance *rhtasv1alpha1.Rekor)
 	}
 	i.Logger.V(1).Info("trillian logserver", "address", insCopy.Spec.Trillian.Address)
 
+	if cryptoutil.FIPSEnabled {
+		if err := cryptoutil.ValidateTrustedCA(ctx, i.Client, instance.Namespace, instance.GetTrustedCA()); err != nil {
+			meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+				Type:    constants.Ready,
+				Status:  metav1.ConditionFalse,
+				Reason:  constants.Failure,
+				Message: err.Error(),
+			})
+			return i.StatusUpdate(ctx, instance)
+		}
+	}
+
 	if result, err = kubernetes.CreateOrUpdate(ctx, i.Client,
 		&v2.Deployment{
 			ObjectMeta: metav1.ObjectMeta{

internal/controller/rekor/actions/server/generate_signer.go

@@ -17,6 +17,7 @@ import (
 	"github.com/securesign/operator/internal/constants"
 	"github.com/securesign/operator/internal/controller/rekor/actions"
 	"github.com/securesign/operator/internal/labels"
+	cryptoutil "github.com/securesign/operator/internal/utils/crypto"
 	"github.com/securesign/operator/internal/utils/kubernetes"
 	"github.com/securesign/operator/internal/utils/kubernetes/ensure"
 	v1 "k8s.io/api/core/v1"
@@ -174,6 +175,83 @@ func (g generateSigner) Handle(ctx context.Context, instance *v1alpha1.Rekor) *a
 			}
 		}
 	}
+
+	if cryptoutil.FIPSEnabled && newSigner.KeyRef != nil {
+		privateKey, err := kubernetes.GetSecretData(g.Client, instance.Namespace, newSigner.KeyRef)
+		if err != nil {
+			if apierrors.IsNotFound(err) {
+				meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+					Type:    actions.SignerCondition,
+					Status:  metav1.ConditionFalse,
+					Reason:  constants.Failure,
+					Message: err.Error(),
+				})
+				meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+					Type:    actions.ServerCondition,
+					Status:  metav1.ConditionFalse,
+					Reason:  constants.Initialize,
+					Message: fmt.Sprintf("waiting for signer secret %s", newSigner.KeyRef.Name),
+				})
+				if res := g.StatusUpdate(ctx, instance); res != nil && res.Err != nil {
+					return res
+				}
+				return g.Requeue()
+			}
+			return g.Error(ctx, fmt.Errorf("could not load signer private key: %w", err), instance,
+				metav1.Condition{
+					Type:    actions.SignerCondition,
+					Status:  metav1.ConditionFalse,
+					Reason:  constants.Failure,
+					Message: err.Error(),
+				},
+			)
+		}
+
+		var password []byte
+		if newSigner.PasswordRef != nil {
+			password, err = kubernetes.GetSecretData(g.Client, instance.Namespace, newSigner.PasswordRef)
+			if err != nil {
+				if apierrors.IsNotFound(err) {
+					meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+						Type:    actions.SignerCondition,
+						Status:  metav1.ConditionFalse,
+						Reason:  constants.Failure,
+						Message: err.Error(),
+					})
+					meta.SetStatusCondition(&instance.Status.Conditions, metav1.Condition{
+						Type:    actions.ServerCondition,
+						Status:  metav1.ConditionFalse,
+						Reason:  constants.Initialize,
+						Message: fmt.Sprintf("waiting for signer secret %s", newSigner.PasswordRef.Name),
+					})
+					if res := g.StatusUpdate(ctx, instance); res != nil && res.Err != nil {
+						return res
+					}
+					return g.Requeue()
+				}
+				return g.Error(ctx, fmt.Errorf("could not load signer password: %w", err), instance,
+					metav1.Condition{
+						Type:    actions.SignerCondition,
+						Status:  metav1.ConditionFalse,
+						Reason:  constants.Failure,
+						Message: err.Error(),
+					},
+				)
+			}
+		}
+
+		if err := cryptoutil.ValidatePrivateKeyPEM(privateKey, password); err != nil {
+			return g.Error(ctx, fmt.Errorf("signer key is not FIPS-compliant: %w", err), instance,
+				metav1.Condition{
+					Type:    actions.SignerCondition,
+					Status:  metav1.ConditionFalse,
+					Reason:  constants.Failure,
+					Message: err.Error(),
+				},
+			)
+		}
+	}
+
 	instance.Status.Signer = newSigner
 	// force recreation of public key ref
 	instance.Status.PublicKeyRef = nil