Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TLS support for Trillian server #2164

Merged
merged 2 commits into from
Jul 23, 2024
Merged

Add TLS support for Trillian server #2164

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4903305
Add TLS support for Trillian server
fghanmi Jul 23, 2024
c1f5a69
update tls_ca_cert key name
fghanmi Jul 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions cmd/rekor-server/app/root.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,8 @@ Memory and file-based signers should only be used for testing.`)
rootCmd.PersistentFlags().String("redis_server.password", "", "Redis server password")
rootCmd.PersistentFlags().Bool("redis_server.enable-tls", false, "Whether to enable TLS verification when connecting to Redis endpoint")
rootCmd.PersistentFlags().Bool("redis_server.insecure-skip-verify", false, "Whether to skip TLS verification when connecting to Redis endpoint, only applicable when 'redis_server.enable-tls' is set to 'true'")
rootCmd.PersistentFlags().String("trillian_log_server.tls_ca_cert", "", "Certificate file to use for secure connections with Trillian server")
rootCmd.PersistentFlags().Bool("trillian_log_server.tls", false, "Use TLS when connecting to Trillian Server")

rootCmd.PersistentFlags().Bool("enable_attestation_storage", false, "enables rich attestation storage")
rootCmd.PersistentFlags().String("attestation_storage_bucket", "", "url for attestation storage bucket")
Expand Down
31 changes: 30 additions & 1 deletion pkg/api/api.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,15 @@ import (
"crypto/x509"
"encoding/hex"
"fmt"
"os"
"path/filepath"

"github.com/google/trillian"
"github.com/redis/go-redis/v9"
"github.com/spf13/viper"
"golang.org/x/exp/slices"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"

"github.com/sigstore/rekor/pkg/indexstorage"
Expand All @@ -47,7 +50,33 @@ import (

func dial(rpcServer string) (*grpc.ClientConn, error) {
// Set up and test connection to rpc server
creds := insecure.NewCredentials()
var creds credentials.TransportCredentials
tlsCACertFile := viper.GetString("trillian_log_server.tls_ca_cert")
useSystemTrustStore := viper.GetBool("trillian_log_server.tls")

switch {
case useSystemTrustStore:
creds = credentials.NewTLS(&tls.Config{
ServerName: rpcServer,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's unlikely, but possible that rpcServer will not simply be a hostname/IP address or hostname:port combination, as that string can be a value as defined by https://github.com/grpc/grpc/blob/master/doc/naming.md

MinVersion: tls.VersionTLS12,
})
case tlsCACertFile != "":
tlsCaCert, err := os.ReadFile(filepath.Clean(tlsCACertFile))
if err != nil {
log.Logger.Fatalf("Failed to load tls_ca_cert:", err)
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(tlsCaCert) {
return nil, fmt.Errorf("failed to append CA certificate to pool")
}
creds = credentials.NewTLS(&tls.Config{
ServerName: rpcServer,
RootCAs: certPool,
MinVersion: tls.VersionTLS12,
})
default:
creds = insecure.NewCredentials()
}
conn, err := grpc.NewClient(rpcServer, grpc.WithTransportCredentials(creds))
if err != nil {
log.Logger.Fatalf("Failed to connect to RPC server:", err)
Expand Down
Loading