Support GCP KMS for checkpoint signer

Author: roger2hk

cmd/gcp/kms.go

@@ -0,0 +1,123 @@
+// Copyright 2024 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"context"
+	"crypto"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"io"
+
+	kms "cloud.google.com/go/kms/apiv1"
+	"cloud.google.com/go/kms/apiv1/kmspb"
+)
+
+// Signer is a GCP KMS implementation of
+// [crypto signer](https://pkg.go.dev/crypto#Signer).
+type Signer struct {
+	// ctx must be stored because Signer is used as an implementation of the
+	// crypto.Signer interface, which does not allow for a context in the Sign
+	// method. However, the KMS AsymmetricSign API requires a context.
+	ctx       context.Context
+	client    *kms.KeyManagementClient
+	keyName   string
+	publicKey crypto.PublicKey
+}
+
+// Public returns the public key stored in the Signer object.
+func (s *Signer) Public() crypto.PublicKey {
+	return s.publicKey
+}
+
+// Sign signs the digest using the KMS signing key remotely on GCP.
+// Only crypto.SHA256 is supported.
+func (s *Signer) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+	// Verify hash function and digest bytes length.
+	if opts == nil || opts.HashFunc() != crypto.SHA256 {
+		return nil, fmt.Errorf("unsupported hash func: %v", opts.HashFunc())
+	}
+	if len(digest) != opts.HashFunc().Size() {
+		return nil, fmt.Errorf("digest bytes length %d does not match hash function bytes length %d", len(digest), opts.HashFunc().Size())
+	}
+
+	// Build the signing request and call the remote signing.
+	req := &kmspb.AsymmetricSignRequest{
+		Name: s.keyName,
+		Digest: &kmspb.Digest{
+			Digest: &kmspb.Digest_Sha256{
+				Sha256: digest,
+			},
+		},
+	}
+	resp, err := s.client.AsymmetricSign(s.ctx, req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to sign data: %w", err)
+	}
+
+	// Perform integrity verification on result.
+	if resp.Name != s.keyName {
+		return nil, fmt.Errorf("request corrupted in-transit: %w", err)
+	}
+
+	return resp.GetSignature(), nil
+}
+
+// NewKMSSigner creates a new signer that uses GCP KMS to sign digests.
+func NewKMSSigner(ctx context.Context, keyName string) (*Signer, error) {
+	kmClient, err := kms.NewKeyManagementClient(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create KeyManagementClient: %w", err)
+	}
+
+	// Retrieve the public key from GCP KMS
+	req := &kmspb.GetPublicKeyRequest{
+		Name: keyName,
+	}
+	resp, err := kmClient.GetPublicKey(ctx, req)
+	if err != nil {
+		return nil, err
+	}
+
+	pemBlock, rest := pem.Decode([]byte(resp.Pem))
+	if pemBlock == nil {
+		return nil, errors.New("failed to decode PEM")
+	}
+	if len(rest) > 0 {
+		return nil, fmt.Errorf("extra data after decoding PEM: %v", rest)
+	}
+
+	var publicKey crypto.PublicKey
+	switch pemBlock.Type {
+	case "PUBLIC KEY":
+		publicKey, err = x509.ParsePKIXPublicKey(pemBlock.Bytes)
+	case "RSA PUBLIC KEY":
+		publicKey, err = x509.ParsePKCS1PublicKey(pemBlock.Bytes)
+	default:
+		return nil, fmt.Errorf("unsupported PEM type: %s", pemBlock.Type)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return &Signer{
+		ctx:       ctx,
+		client:    kmClient,
+		keyName:   keyName,
+		publicKey: publicKey,
+	}, nil
+}

cmd/gcp/main.go

@@ -27,7 +27,6 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/google/trillian/crypto/keys/pem"
 	"github.com/google/trillian/monitoring/opencensus"
 	"github.com/google/trillian/monitoring/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -67,8 +66,7 @@ var (
 	rejectUnexpired    = flag.Bool("reject_unexpired", false, "If true then CTFE rejects certificates that are either currently valid or not yet valid.")
 	extKeyUsages       = flag.String("ext_key_usages", "", "If set, will restrict the set of such usages that the server will accept. By default all are accepted. The values specified must be ones known to the x509 package.")
 	rejectExtensions   = flag.String("reject_extension", "", "A list of X.509 extension OIDs, in dotted string form (e.g. '2.3.4.5') which, if present, should cause submissions to be rejected.")
-	privKey            = flag.String("private_key", "", "Path to a private key .der file. Used to sign checkpoints and SCTs.")
-	privKeyPass        = flag.String("password", "", "private_key password.")
+	kmsKeyName         = flag.String("kms_key", "", "GCP KMS key name for signing checkpoints and SCTs. Format: projects/{projectId}/locations/{kmsRegion}/keyRings/{kmsKeyRing}/cryptoKeys/{keyName}/cryptoKeyVersions/{keyVersion}.")
 )
 
 // nolint:staticcheck
@@ -77,10 +75,9 @@ func main() {
 	flag.Parse()
 	ctx := context.Background()
 
-	// TODO(phboneff): move to something else, like KMS
-	signer, err := pem.ReadPrivateKeyFile(*privKey, *privKeyPass)
+	signer, err := NewKMSSigner(ctx, *kmsKeyName)
 	if err != nil {
-		klog.Exitf("Can't open key: %v", err)
+		klog.Exitf("Can't create KMS signer: %v", err)
 	}
 
 	vCfg, err := sctfe.ValidateLogConfig(*origin, *projectID, *bucket, *spannerDB, *rootsPemFile, *rejectExpired, *rejectUnexpired, *extKeyUsages, *rejectExtensions, notAfterStart.t, notAfterLimit.t, signer)

config.go

@@ -16,6 +16,8 @@ package sctfe
 
 import (
 	"crypto"
+	"crypto/ecdsa"
+	"crypto/rsa"
 	"errors"
 	"fmt"
 	"strings"
@@ -32,7 +34,6 @@ type ValidatedLogConfig struct {
 	// is also its submission prefix, as per https://c2sp.org/static-ct-api.
 	Origin string
 	// Used to sign the checkpoint and SCTs.
-	// TODO(phboneff): check that this is RSA or ECDSA only.
 	Signer crypto.Signer
 	// If set, ExtKeyUsages will restrict the set of such usages that the
 	// server will accept. By default all are accepted. The values specified
@@ -90,6 +91,16 @@ func ValidateLogConfig(origin string, projectID string, bucket string, spannerDB
 		return nil, errors.New("empty rootsPemFile")
 	}
 
+	// Validate signer that only RSA or ECDSA are supported.
+	if signer == nil {
+		return nil, errors.New("empty signer")
+	}
+	switch keyType := signer.Public().(type) {
+	case *rsa.PublicKey, *ecdsa.PublicKey:
+	default:
+		return nil, fmt.Errorf("unsupported key type: %v", keyType)
+	}
+
 	lExtKeyUsages := []string{}
 	lRejectExtensions := []string{}
 	if extKeyUsages != "" {

deployment/live/gcp/test/README.md

@@ -39,12 +39,13 @@ Terraforming the project can be done by:
  2. Run `terragrunt apply`
 
 ## Run the SCTFE
+
 ### With fake chains
 
 On the VM, run the following command to bring up the SCTFE:
 
 ```bash
-go run ./cmd/gcp/ --project_id=${GOOGLE_PROJECT} --bucket=${GOOGLE_PROJECT}-${TESSERA_BASE_NAME}-bucket --spanner_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-db --spanner_dedup_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-dedup-db --private_key=./testdata/ct-http-server.privkey.pem  --password=dirk --roots_pem_file=./testdata/fake-ca.cert --origin=${TESSERA_BASE_NAME}
+go run ./cmd/gcp/ --project_id=${GOOGLE_PROJECT} --bucket=${GOOGLE_PROJECT}-${TESSERA_BASE_NAME}-bucket --spanner_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-db --spanner_dedup_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-dedup-db --private_key=./testdata/ct-http-server.privkey.pem  --password=dirk --roots_pem_file=./testdata/fake-ca.cert --origin=${TESSERA_BASE_NAME} --kms_key=projects/${GOOGLE_PROJECT}/locations/global/keyRings/${TESSERA_BASE_NAME}/cryptoKeys/sctfe-p256-sha256/cryptoKeyVersions/1
 ```
 
 In a different terminal you can either mint and submit certificates manually, or
@@ -116,7 +117,7 @@ Run the SCTFE with the same roots:
 
 ```bash
 cd ${SCTFE_REPO}
-go run ./cmd/gcp/ --project_id=${GOOGLE_PROJECT} --bucket=${GOOGLE_PROJECT}-${TESSERA_BASE_NAME}-bucket --spanner_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-db --private_key=./testdata/ct-http-server.privkey.pem  --password=dirk --roots_pem_file=/tmp/hammercfg/roots.pem --origin=${TESSERA_BASE_NAME} --spanner_dedup_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-dedup-db -v=3
+go run ./cmd/gcp/ --project_id=${GOOGLE_PROJECT} --bucket=${GOOGLE_PROJECT}-${TESSERA_BASE_NAME}-bucket --spanner_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-db --roots_pem_file=/tmp/hammercfg/roots.pem --origin=${TESSERA_BASE_NAME} --spanner_dedup_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-dedup-db --kms_key=projects/${GOOGLE_PROJECT}/locations/global/keyRings/${TESSERA_BASE_NAME}/cryptoKeys/sctfe-p256-sha256/cryptoKeyVersions/1 -v=3
 ```
 
 Run `ct_hammer` in a different terminal:

deployment/modules/gcp/storage/main.tf

@@ -65,3 +65,27 @@ resource "google_spanner_database" "dedup_db" {
     "CREATE TABLE IDSeq (id INT64 NOT NULL, h BYTES(MAX) NOT NULL, idx INT64 NOT NULL,) PRIMARY KEY (id, h)",
   ]
 }
+
+# KMS
+
+resource "google_kms_key_ring" "sctfe-keyring" {
+  name     = var.base_name
+  location = var.kms_location
+}
+
+resource "google_kms_crypto_key" "sctfe-asymmetric-sign-key-p256-sha256" {
+  name     = "sctfe-p256-sha256"
+  key_ring = google_kms_key_ring.sctfe-keyring.id
+  purpose  = "ASYMMETRIC_SIGN"
+
+  version_template {
+    algorithm        = "EC_SIGN_P256_SHA256"
+    protection_level = "SOFTWARE"
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  depends_on = [google_kms_key_ring.sctfe-keyring]
+}

deployment/modules/gcp/storage/outputs.tf

@@ -17,3 +17,8 @@ output "dedup_spanner_db" {
   description = "Dedup Spanner database"
   value       = google_spanner_database.dedup_db
 }
+
+output "kms_key" {
+  description = "KMS asymmetric sign key (P256_SHA256)"
+  value       = google_kms_crypto_key.sctfe-asymmetric-sign-key-p256-sha256
+}

deployment/modules/gcp/storage/variables.tf

@@ -12,3 +12,9 @@ variable "location" {
   description = "Location in which to create resources"
   type        = string
 }
+
+variable "kms_location" {
+  type        = string
+  description = "Location of KMS keyring"
+  default     = "global"
+}

go.mod

@@ -3,6 +3,7 @@ module github.com/transparency-dev/static-ct
 go 1.23.1
 
 require (
+	cloud.google.com/go/kms v1.20.0
 	cloud.google.com/go/spanner v1.71.0
 	cloud.google.com/go/storage v1.46.0
 	github.com/golang/mock v1.6.0
@@ -30,6 +31,7 @@ require (
 	cloud.google.com/go/auth/oauth2adapt v0.2.5 // indirect
 	cloud.google.com/go/compute/metadata v0.5.2 // indirect
 	cloud.google.com/go/iam v1.2.1 // indirect
+	cloud.google.com/go/longrunning v0.6.1 // indirect
 	cloud.google.com/go/monitoring v1.21.1 // indirect
 	cloud.google.com/go/trace v1.11.1 // indirect
 	contrib.go.opencensus.io/exporter/stackdriver v0.13.14 // indirect

go.sum

@@ -340,6 +340,8 @@ cloud.google.com/go/kms v1.8.0/go.mod h1:4xFEhYFqvW+4VMELtZyxomGSYtSQKzM178ylFW4
 cloud.google.com/go/kms v1.9.0/go.mod h1:qb1tPTgfF9RQP8e1wq4cLFErVuTJv7UsSC915J8dh3w=
 cloud.google.com/go/kms v1.10.0/go.mod h1:ng3KTUtQQU9bPX3+QGLsflZIHlkbn8amFAMY63m8d24=
 cloud.google.com/go/kms v1.10.1/go.mod h1:rIWk/TryCkR59GMC3YtHtXeLzd634lBbKenvyySAyYI=
+cloud.google.com/go/kms v1.20.0 h1:uKUvjGqbBlI96xGE669hcVnEMw1Px/Mvfa62dhM5UrY=
+cloud.google.com/go/kms v1.20.0/go.mod h1:/dMbFF1tLLFnQV44AoI2GlotbjowyUfgVwezxW291fM=
 cloud.google.com/go/language v1.4.0/go.mod h1:F9dRpNFQmJbkaop6g0JhSBXCNlO90e1KWx5iDdxbWic=
 cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQnWM3mdEbhI=
 cloud.google.com/go/language v1.7.0/go.mod h1:DJ6dYN/W+SQOjF8e1hLQXMF21AkH2w9wiPzPCJa2MIE=