fips: check provided tsa crypto for fips compliance

Author: JasonPowr

internal/controller/tsa/actions/generate_signer.go

@@ -16,6 +16,7 @@ import (
 	tsaUtils "github.com/securesign/operator/internal/controller/tsa/utils"
 	"github.com/securesign/operator/internal/labels"
 	"github.com/securesign/operator/internal/utils"
+	cryptoutil "github.com/securesign/operator/internal/utils/crypto"
 	"github.com/securesign/operator/internal/utils/kubernetes"
 	"github.com/securesign/operator/internal/utils/kubernetes/ensure"
 	v1 "k8s.io/api/core/v1"
@@ -219,22 +220,30 @@ func (g generateSigner) Handle(ctx context.Context, instance *v1alpha1.Timestamp
 	return g.StatusUpdate(ctx, instance)
 }
 
-func (g generateSigner) handleSignerKeys(instance *v1alpha1.TimestampAuthority, config *tsaUtils.TsaCertChainConfig) (*tsaUtils.TsaCertChainConfig, error) {
+func (g generateSigner) handleSignerKeys(instance *v1alpha1.TimestampAuthority, config *tsaUtils.TsaCertChainConfig) (*tsaUtils.TsaCertChainConfig, error) { //nolint:gocyclo
 	if instance.Spec.Signer.File != nil {
 		if instance.Spec.Signer.File.PrivateKeyRef != nil {
 			key, err := kubernetes.GetSecretData(g.Client, instance.Namespace, instance.Spec.Signer.File.PrivateKeyRef)
 			if err != nil {
 				return nil, err
 			}
-			config.LeafPrivateKey = key
 
+			var password []byte
 			if ref := instance.Spec.Signer.File.PasswordRef; ref != nil {
-				password, err := kubernetes.GetSecretData(g.Client, instance.Namespace, ref)
+				password, err = kubernetes.GetSecretData(g.Client, instance.Namespace, ref)
 				if err != nil {
 					return nil, err
 				}
-				config.LeafPrivateKeyPassword = password
 			}
+
+			if cryptoutil.FIPSEnabled {
+				if err := cryptoutil.ValidatePrivateKeyPEM(key, password); err != nil {
+					return nil, err
+				}
+			}
+
+			config.LeafPrivateKey = key
+			config.LeafPrivateKeyPassword = password
 		}
 
 		if ref := instance.Spec.Signer.CertificateChain.CertificateChainRef; ref == nil {
@@ -257,15 +266,23 @@ func (g generateSigner) handleSignerKeys(instance *v1alpha1.TimestampAuthority,
 				if err != nil {
 					return nil, err
 				}
-				config.RootPrivateKey = key
 
-				if ref := instance.Spec.Signer.CertificateChain.RootCA.PasswordRef; ref != nil {
-					password, err := kubernetes.GetSecretData(g.Client, instance.Namespace, ref)
+				var password []byte
+				if pref := instance.Spec.Signer.CertificateChain.RootCA.PasswordRef; pref != nil {
+					password, err = kubernetes.GetSecretData(g.Client, instance.Namespace, pref)
 					if err != nil {
 						return nil, err
 					}
-					config.RootPrivateKeyPassword = password
 				}
+
+				if cryptoutil.FIPSEnabled {
+					if err := cryptoutil.ValidatePrivateKeyPEM(key, password); err != nil {
+						return nil, err
+					}
+				}
+
+				config.RootPrivateKey = key
+				config.RootPrivateKeyPassword = password
 			} else {
 				config.RootPrivateKeyPassword = utils.GeneratePassword(8)
 				key, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
@@ -286,17 +303,25 @@ func (g generateSigner) handleSignerKeys(instance *v1alpha1.TimestampAuthority,
 				if err != nil {
 					return nil, err
 				}
-				config.IntermediatePrivateKeys = append(config.IntermediatePrivateKeys, key)
 
-				if ref := intermediateCA.PasswordRef; ref != nil {
-					password, err := kubernetes.GetSecretData(g.Client, instance.Namespace, ref)
+				var password []byte
+				if pref := intermediateCA.PasswordRef; pref != nil {
+					password, err = kubernetes.GetSecretData(g.Client, instance.Namespace, pref)
 					if err != nil {
 						return nil, err
 					}
-					config.IntermediatePrivateKeyPasswords = append(config.IntermediatePrivateKeyPasswords, password)
 				} else {
-					config.IntermediatePrivateKeyPasswords = append(config.IntermediatePrivateKeyPasswords, []byte(""))
+					password = []byte("")
+				}
+
+				if cryptoutil.FIPSEnabled {
+					if err := cryptoutil.ValidatePrivateKeyPEM(key, password); err != nil {
+						return nil, err
+					}
 				}
+
+				config.IntermediatePrivateKeys = append(config.IntermediatePrivateKeys, key)
+				config.IntermediatePrivateKeyPasswords = append(config.IntermediatePrivateKeyPasswords, password)
 			} else {
 				config.IntermediatePrivateKeyPasswords = append(config.IntermediatePrivateKeyPasswords, utils.GeneratePassword(8))
 				key, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
@@ -317,15 +342,23 @@ func (g generateSigner) handleSignerKeys(instance *v1alpha1.TimestampAuthority,
 				if err != nil {
 					return nil, err
 				}
-				config.LeafPrivateKey = key
 
-				if ref := instance.Spec.Signer.CertificateChain.LeafCA.PasswordRef; ref != nil {
-					password, err := kubernetes.GetSecretData(g.Client, instance.Namespace, ref)
+				var password []byte
+				if pref := instance.Spec.Signer.CertificateChain.LeafCA.PasswordRef; pref != nil {
+					password, err = kubernetes.GetSecretData(g.Client, instance.Namespace, pref)
 					if err != nil {
 						return nil, err
 					}
-					config.LeafPrivateKeyPassword = password
 				}
+
+				if cryptoutil.FIPSEnabled {
+					if err := cryptoutil.ValidatePrivateKeyPEM(key, password); err != nil {
+						return nil, err
+					}
+				}
+
+				config.LeafPrivateKey = key
+				config.LeafPrivateKeyPassword = password
 			} else {
 				config.LeafPrivateKeyPassword = utils.GeneratePassword(8)
 				key, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)

internal/controller/tsa/actions/generate_signer_test.go

@@ -2,12 +2,15 @@ package actions
 
 import (
 	"context"
+	"crypto/elliptic"
 	"encoding/json"
 	"testing"
 
 	"github.com/securesign/operator/internal/action"
 	"github.com/securesign/operator/internal/constants"
 	"github.com/securesign/operator/internal/labels"
+	cryptoutil "github.com/securesign/operator/internal/utils/crypto"
+	fipsTest "github.com/securesign/operator/internal/utils/crypto/test"
 	"github.com/securesign/operator/internal/utils/kubernetes"
 	"github.com/securesign/operator/test/e2e/support/tas/tsa"
 	v1 "k8s.io/api/core/v1"
@@ -210,6 +213,58 @@ func Test_SignerHandle(t *testing.T) {
 				return true
 			},
 		},
+		{
+			name: "FIPS enabled rejects non-compliant root key",
+			setup: func(instance *rhtasv1alpha1.TimestampAuthority) (client.WithWatch, action.Action[*rhtasv1alpha1.TimestampAuthority]) {
+				instance.Status.Conditions[0].Reason = constants.Pending
+				instance.Spec.Signer = rhtasv1alpha1.TimestampAuthoritySigner{
+					CertificateChain: rhtasv1alpha1.CertificateChain{
+						RootCA: &rhtasv1alpha1.TsaCertificateAuthority{
+							OrganizationName: "Red Hat",
+							PrivateKeyRef: &rhtasv1alpha1.SecretKeySelector{
+								LocalObjectReference: rhtasv1alpha1.LocalObjectReference{
+									Name: "tsa-invalid-secret",
+								},
+								Key: "rootPrivateKey",
+							},
+							PasswordRef: &rhtasv1alpha1.SecretKeySelector{
+								LocalObjectReference: rhtasv1alpha1.LocalObjectReference{
+									Name: "tsa-invalid-secret",
+								},
+								Key: "rootPrivateKeyPassword",
+							},
+						},
+					},
+				}
+				g := NewWithT(t)
+				_, invalidPriv, _, err := fipsTest.GenerateECCertificatePEM(false, "", elliptic.P224())
+				g.Expect(err).NotTo(HaveOccurred())
+				secret := &v1.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "tsa-invalid-secret",
+						Namespace: instance.Namespace,
+					},
+					Data: map[string][]byte{
+						"rootPrivateKey": invalidPriv,
+					},
+				}
+				cryptoutil.FIPSEnabled = true
+				t.Cleanup(func() {
+					cryptoutil.FIPSEnabled = false
+				})
+
+				cli, act := common.TsaTestSetup(instance, t, nil, NewGenerateSignerAction(), secret)
+				return cli, act
+			},
+			testCase: func(g Gomega, _ action.Action[*rhtasv1alpha1.TimestampAuthority], _ client.WithWatch, instance *rhtasv1alpha1.TimestampAuthority) bool {
+				cond := meta.FindStatusCondition(instance.Status.Conditions, TSASignerCondition)
+				g.Expect(cond).NotTo(BeNil(), "TSASignerCondition should be present")
+				g.Expect(cond.Status).To(Equal(metav1.ConditionFalse), "TSASignerCondition status should be False")
+				g.Expect(cond.Reason).To(Equal(constants.Failure), "TSASignerCondition reason should be Failure")
+
+				return true
+			},
+		},
 		{
 			name: "user-spec keys and certs",
 			setup: func(instance *rhtasv1alpha1.TimestampAuthority) (client.WithWatch, action.Action[*rhtasv1alpha1.TimestampAuthority]) {

test/e2e/fips/tsa_cert_chain_test.go

@@ -0,0 +1,143 @@
+//go:build fips
+
+package fips
+
+import (
+	"crypto/elliptic"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"github.com/securesign/operator/api/v1alpha1"
+	"github.com/securesign/operator/internal/constants"
+	tsaactions "github.com/securesign/operator/internal/controller/tsa/actions"
+	fipsTest "github.com/securesign/operator/internal/utils/crypto/test"
+	"github.com/securesign/operator/test/e2e/support"
+	"github.com/securesign/operator/test/e2e/support/steps"
+	"github.com/securesign/operator/test/e2e/support/tas/ctlog"
+	"github.com/securesign/operator/test/e2e/support/tas/fulcio"
+	"github.com/securesign/operator/test/e2e/support/tas/rekor"
+	"github.com/securesign/operator/test/e2e/support/tas/securesign"
+	"github.com/securesign/operator/test/e2e/support/tas/tsa"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+var _ = Describe("Securesign FIPS - TSA Cert chain", Ordered, func() {
+
+	cli, _ := support.CreateClient()
+
+	var namespace *v1.Namespace
+	var s *v1alpha1.Securesign
+
+	BeforeAll(steps.CreateNamespace(cli, func(new *v1.Namespace) {
+		namespace = new
+	}))
+
+	BeforeAll(func(ctx SpecContext) {
+		s = securesign.Create(namespace.Name, "test",
+			securesign.WithDefaults(),
+			securesign.WithProvidedCerts(),
+			func(v *v1alpha1.Securesign) {
+				v.Spec.Tuf.Keys = []v1alpha1.TufKey{
+					{
+						Name: "fulcio_v1.crt.pem",
+						SecretRef: &v1alpha1.SecretKeySelector{
+							LocalObjectReference: v1alpha1.LocalObjectReference{
+								Name: "my-fulcio-secret",
+							},
+							Key: "cert",
+						},
+					},
+					{
+						Name: "rekor.pub",
+						SecretRef: &v1alpha1.SecretKeySelector{
+							LocalObjectReference: v1alpha1.LocalObjectReference{
+								Name: "my-rekor-secret",
+							},
+							Key: "public",
+						},
+					},
+					{
+						Name: "ctfe.pub",
+						SecretRef: &v1alpha1.SecretKeySelector{
+							LocalObjectReference: v1alpha1.LocalObjectReference{
+								Name: "my-ctlog-secret",
+							},
+							Key: "public",
+						},
+					},
+					{
+						Name: "tsa.certchain.pem",
+						SecretRef: &v1alpha1.SecretKeySelector{
+							LocalObjectReference: v1alpha1.LocalObjectReference{
+								Name: "test-tuf-tsa-secret",
+							},
+							Key: "certificateChain",
+						},
+					},
+				}
+			},
+		)
+	})
+
+	Describe("Reject non-FIPS TSA Cert chain and key then accept FIPS-compliant key", func() {
+		BeforeAll(func(ctx SpecContext) {
+			_, invalidPriv, invalidCert, err := fipsTest.GenerateECCertificatePEM(true, "pass", elliptic.P224())
+			Expect(err).NotTo(HaveOccurred())
+
+			Expect(cli.Create(ctx, ctlog.CreateSecret(namespace.Name, "my-ctlog-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, fulcio.CreateSecret(namespace.Name, "my-fulcio-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, rekor.CreateSecret(namespace.Name, "my-rekor-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, tsa.CreateSecrets(namespace.Name, "test-tuf-tsa-secret"))).To(Succeed())
+			Expect(cli.Create(ctx, tsa.CreateCustomTsaSecret(namespace.Name, "test-tsa-secret", map[string][]byte{
+				"leafPrivateKey":         invalidPriv,
+				"leafPrivateKeyPassword": []byte("pass"),
+				"certificateChain":       invalidCert,
+			}))).To(Succeed())
+			Expect(cli.Create(ctx, s)).To(Succeed())
+		})
+
+		It("TSA reports TSASignerCondition False with Failure reason", func(ctx SpecContext) {
+			Eventually(func(g Gomega) bool {
+				t := tsa.Get(ctx, cli, namespace.Name, s.Name)
+				g.Expect(t).ToNot(BeNil())
+				c := meta.FindStatusCondition(t.Status.Conditions, tsaactions.TSASignerCondition)
+				return c != nil && string(c.Status) == "False" && c.Reason == constants.Failure
+			}).WithContext(ctx).Should(BeTrue())
+		})
+
+		It("Update TSA secret to FIPS-compliant EC P256/P384 and verify readiness", func(ctx SpecContext) {
+			Eventually(func(g Gomega) error {
+				Expect(cli.Get(ctx, types.NamespacedName{Name: s.Name, Namespace: namespace.Name}, s)).To(Succeed())
+
+				s.Spec.TimestampAuthority.Signer = v1alpha1.TimestampAuthoritySigner{
+					CertificateChain: v1alpha1.CertificateChain{
+						CertificateChainRef: &v1alpha1.SecretKeySelector{
+							LocalObjectReference: v1alpha1.LocalObjectReference{
+								Name: "test-tuf-tsa-secret",
+							},
+							Key: "certificateChain",
+						},
+					},
+					File: &v1alpha1.File{
+						PrivateKeyRef: &v1alpha1.SecretKeySelector{
+							LocalObjectReference: v1alpha1.LocalObjectReference{
+								Name: "test-tuf-tsa-secret",
+							},
+							Key: "leafPrivateKey",
+						},
+						PasswordRef: &v1alpha1.SecretKeySelector{
+							LocalObjectReference: v1alpha1.LocalObjectReference{
+								Name: "test-tuf-tsa-secret",
+							},
+							Key: "leafPrivateKeyPassword",
+						},
+					},
+				}
+				return cli.Update(ctx, s)
+			}).Should(Succeed())
+			tsa.Verify(ctx, cli, namespace.Name, s.Name)
+		})
+	})
+})

test/e2e/support/tas/tsa/tsa.go

@@ -197,6 +197,16 @@ func CreateSecrets(ns string, name string) *v1.Secret {
 	}
 }
 
+func CreateCustomTsaSecret(ns string, name string, data map[string][]byte) *v1.Secret {
+	return &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: ns,
+		},
+		Data: data,
+	}
+}
+
 func getCertTemplate(isCA bool) *x509.Certificate {
 	notBefore := time.Now()
 	notAfter := notBefore.Add(365 * 24 * 10 * time.Hour)