Replace fake signer with AWS Secrets Manager signer (#214)

* Replace fake signer with AWS Secrets Manager signer

* Update `aws_secretsmanager_secret.sctfe_ecdsa_p256_private_key` tag label

* Update error log when AWS Secrets Manager cannot be created

Author: roger2hk

cmd/aws/main.go

@@ -17,8 +17,6 @@ package main
 
 import (
 	"context"
-	"crypto/x509"
-	"encoding/pem"
 	"flag"
 	"fmt"
 	"net/http"
@@ -32,7 +30,6 @@ import (
 	"github.com/go-sql-driver/mysql"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	sctfe "github.com/transparency-dev/static-ct"
-	"github.com/transparency-dev/static-ct/internal/testdata"
 	"github.com/transparency-dev/static-ct/storage"
 	awsSCTFE "github.com/transparency-dev/static-ct/storage/aws"
 	"github.com/transparency-dev/static-ct/storage/bbolt"
@@ -52,25 +49,27 @@ var (
 	notAfterStart timestampFlag
 	notAfterLimit timestampFlag
 
-	httpEndpoint       = flag.String("http_endpoint", "localhost:6962", "Endpoint for HTTP (host:port).")
-	metricsEndpoint    = flag.String("metrics_endpoint", "", "Endpoint for serving metrics; if left empty, metrics will be visible on --http_endpoint.")
-	httpDeadline       = flag.Duration("http_deadline", time.Second*10, "Deadline for HTTP requests.")
-	maskInternalErrors = flag.Bool("mask_internal_errors", false, "Don't return error strings with Internal Server Error HTTP responses.")
-	origin             = flag.String("origin", "", "Origin of the log, for checkpoints and the monitoring prefix.")
-	bucket             = flag.String("bucket", "", "Name of the bucket to store the log in.")
-	dbName             = flag.String("db_name", "", "AuroraDB name")
-	dbHost             = flag.String("db_host", "", "AuroraDB host")
-	dbPort             = flag.Int("db_port", 3306, "AuroraDB port")
-	dbUser             = flag.String("db_user", "", "AuroraDB user")
-	dbPassword         = flag.String("db_password", "", "AuroraDB password")
-	dbMaxConns         = flag.Int("db_max_conns", 0, "Maximum connections to the database, defaults to 0, i.e unlimited")
-	dbMaxIdle          = flag.Int("db_max_idle_conns", 2, "Maximum idle database connections in the connection pool, defaults to 2")
-	dedupPath          = flag.String("dedup_path", "", "Path to the deduplication database.")
-	rootsPemFile       = flag.String("roots_pem_file", "", "Path to the file containing root certificates that are acceptable to the log. The certs are served through get-roots endpoint.")
-	rejectExpired      = flag.Bool("reject_expired", false, "If true then the certificate validity period will be checked against the current time during the validation of submissions. This will cause expired certificates to be rejected.")
-	rejectUnexpired    = flag.Bool("reject_unexpired", false, "If true then CTFE rejects certificates that are either currently valid or not yet valid.")
-	extKeyUsages       = flag.String("ext_key_usages", "", "If set, will restrict the set of such usages that the server will accept. By default all are accepted. The values specified must be ones known to the x509 package.")
-	rejectExtensions   = flag.String("reject_extension", "", "A list of X.509 extension OIDs, in dotted string form (e.g. '2.3.4.5') which, if present, should cause submissions to be rejected.")
+	httpEndpoint               = flag.String("http_endpoint", "localhost:6962", "Endpoint for HTTP (host:port).")
+	metricsEndpoint            = flag.String("metrics_endpoint", "", "Endpoint for serving metrics; if left empty, metrics will be visible on --http_endpoint.")
+	httpDeadline               = flag.Duration("http_deadline", time.Second*10, "Deadline for HTTP requests.")
+	maskInternalErrors         = flag.Bool("mask_internal_errors", false, "Don't return error strings with Internal Server Error HTTP responses.")
+	origin                     = flag.String("origin", "", "Origin of the log, for checkpoints and the monitoring prefix.")
+	bucket                     = flag.String("bucket", "", "Name of the bucket to store the log in.")
+	dbName                     = flag.String("db_name", "", "AuroraDB name")
+	dbHost                     = flag.String("db_host", "", "AuroraDB host")
+	dbPort                     = flag.Int("db_port", 3306, "AuroraDB port")
+	dbUser                     = flag.String("db_user", "", "AuroraDB user")
+	dbPassword                 = flag.String("db_password", "", "AuroraDB password")
+	dbMaxConns                 = flag.Int("db_max_conns", 0, "Maximum connections to the database, defaults to 0, i.e unlimited")
+	dbMaxIdle                  = flag.Int("db_max_idle_conns", 2, "Maximum idle database connections in the connection pool, defaults to 2")
+	dedupPath                  = flag.String("dedup_path", "", "Path to the deduplication database.")
+	rootsPemFile               = flag.String("roots_pem_file", "", "Path to the file containing root certificates that are acceptable to the log. The certs are served through get-roots endpoint.")
+	rejectExpired              = flag.Bool("reject_expired", false, "If true then the certificate validity period will be checked against the current time during the validation of submissions. This will cause expired certificates to be rejected.")
+	rejectUnexpired            = flag.Bool("reject_unexpired", false, "If true then CTFE rejects certificates that are either currently valid or not yet valid.")
+	extKeyUsages               = flag.String("ext_key_usages", "", "If set, will restrict the set of such usages that the server will accept. By default all are accepted. The values specified must be ones known to the x509 package.")
+	rejectExtensions           = flag.String("reject_extension", "", "A list of X.509 extension OIDs, in dotted string form (e.g. '2.3.4.5') which, if present, should cause submissions to be rejected.")
+	signerPublicKeySecretName  = flag.String("signer_public_key_secret_name", "", "Public key secret name for checkpoints and SCTs signer")
+	signerPrivateKeySecretName = flag.String("signer_private_key_secret_name", "", "Private key secret name for checkpoints and SCTs signer")
 )
 
 // nolint:staticcheck
@@ -79,13 +78,10 @@ func main() {
 	flag.Parse()
 	ctx := context.Background()
 
-	// TODO: Replace the fake signer with AWS Secrets Manager Signer.
-	block, _ := pem.Decode([]byte(testdata.DemoPublicKey))
-	key, err := x509.ParsePKIXPublicKey(block.Bytes)
+	signer, err := NewSecretsManagerSigner(ctx, *signerPublicKeySecretName, *signerPrivateKeySecretName)
 	if err != nil {
-		klog.Exitf("Can't parse public key: %v", err)
+		klog.Exitf("Can't create AWS Secrets Manager signer: %v", err)
 	}
-	fakeSigner := testdata.NewSignerWithFixedSig(key, []byte("sig"))
 
 	chainValidationConfig := sctfe.ChainValidationConfig{
 		RootsPEMFile:     *rootsPemFile,
@@ -97,7 +93,7 @@ func main() {
 		NotAfterLimit:    notAfterLimit.t,
 	}
 
-	logHandler, err := sctfe.NewLogHandler(ctx, *origin, fakeSigner, chainValidationConfig, newAWSStorage, *httpDeadline, *maskInternalErrors)
+	logHandler, err := sctfe.NewLogHandler(ctx, *origin, signer, chainValidationConfig, newAWSStorage, *httpDeadline, *maskInternalErrors)
 	if err != nil {
 		klog.Exitf("Can't initialize CT HTTP Server: %v", err)
 	}

cmd/aws/secrets_manager.go

@@ -0,0 +1,146 @@
+// Copyright 2025 The Tessera authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+)
+
+// TODO: Move ECDSAWithSHA256Signer to internal signer package.
+// ECDSAWithSHA256Signer implements crypto.Signer using AWS Secrets Manager.
+// Only crypto.SHA256 and ECDSA are supported.
+type ECDSAWithSHA256Signer struct {
+	publicKey  *ecdsa.PublicKey
+	privateKey *ecdsa.PrivateKey
+}
+
+// Public returns the public key stored in the Signer object.
+func (s *ECDSAWithSHA256Signer) Public() crypto.PublicKey {
+	return s.publicKey
+}
+
+// Sign signs digest with the private key stored in AWS Secrets Manager.
+func (s *ECDSAWithSHA256Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+	// Verify hash function and digest bytes length.
+	if opts == nil {
+		return nil, errors.New("opts cannot be nil")
+	}
+	if opts.HashFunc() != crypto.SHA256 {
+		return nil, fmt.Errorf("unsupported hash func: %v", opts.HashFunc())
+	}
+	if len(digest) != opts.HashFunc().Size() {
+		return nil, fmt.Errorf("digest bytes length %d does not match hash function bytes length %d", len(digest), opts.HashFunc().Size())
+	}
+
+	return ecdsa.SignASN1(rand, s.privateKey, digest)
+}
+
+// NewSecretsManagerSigner creates a new signer that uses the ECDSA P-256 key pair in
+// AWS Secrets Manager for signing digests.
+func NewSecretsManagerSigner(ctx context.Context, publicKeySecretName, privateKeySecretName string) (*ECDSAWithSHA256Signer, error) {
+	sdkConfig, err := config.LoadDefaultConfig(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load default AWS configuration: %v", err)
+	}
+
+	// Create Secrets Manager client
+	client := secretsmanager.NewFromConfig(sdkConfig)
+
+	// Public Key
+	var publicKey crypto.PublicKey
+	pemBlock, err := secretPEM(ctx, client, publicKeySecretName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get public key secret PEM (%s): %w", publicKeySecretName, err)
+	}
+	switch pemBlock.Type {
+	case "PUBLIC KEY":
+		publicKey, err = x509.ParsePKIXPublicKey(pemBlock.Bytes)
+	default:
+		return nil, fmt.Errorf("unsupported PEM type: %s", pemBlock.Type)
+	}
+	if err != nil {
+		return nil, err
+	}
+	var ecdsaPublicKey *ecdsa.PublicKey
+	ecdsaPublicKey, ok := publicKey.(*ecdsa.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("the public key stored in Secret Manager is not an ECDSA key")
+	}
+
+	// Private Key
+	var ecdsaPrivateKey *ecdsa.PrivateKey
+	pemBlock, err = secretPEM(ctx, client, privateKeySecretName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get private key secret PEM (%s): %w", privateKeySecretName, err)
+	}
+	switch pemBlock.Type {
+	case "EC PRIVATE KEY":
+		ecdsaPrivateKey, err = x509.ParseECPrivateKey(pemBlock.Bytes)
+	default:
+		return nil, fmt.Errorf("unsupported PEM type: %s", pemBlock.Type)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	// Verify the correctness of the signer key pair
+	if !ecdsaPrivateKey.PublicKey.Equal(ecdsaPublicKey) {
+		return nil, errors.New("signer key pair doesn't match")
+	}
+
+	return &ECDSAWithSHA256Signer{
+		publicKey:  ecdsaPublicKey,
+		privateKey: ecdsaPrivateKey,
+	}, nil
+}
+
+func secretPEM(ctx context.Context, client *secretsmanager.Client, secretName string) (*pem.Block, error) {
+	input := &secretsmanager.GetSecretValueInput{
+		SecretId: aws.String(secretName),
+	}
+
+	result, err := client.GetSecretValue(ctx, input)
+	if err != nil {
+		// For a list of exceptions thrown, see
+		// https://<<{{DocsDomain}}>>/secretsmanager/latest/apireference/API_GetSecretValue.html
+		return nil, fmt.Errorf("failed to get secret value: %w", err)
+	}
+	if result.SecretString == nil {
+		return nil, fmt.Errorf("secretString is nil for secret %s", secretName)
+	}
+
+	var secretString string = *result.SecretString
+
+	pemBlock, rest := pem.Decode([]byte(secretString))
+	if pemBlock == nil {
+		return nil, errors.New("failed to decode PEM")
+	}
+	if len(rest) > 0 {
+		return nil, fmt.Errorf("extra data after decoding PEM: %v", rest)
+	}
+
+	return pemBlock, nil
+}

cmd/gcp/secret_manager.go

@@ -29,6 +29,7 @@ import (
 	"cloud.google.com/go/secretmanager/apiv1/secretmanagerpb"
 )
 
+// TODO: Move ECDSAWithSHA256Signer to internal signer package.
 // ECDSAWithSHA256Signer implements crypto.Signer using Google Cloud Secret Manager.
 // Only crypto.SHA256 and ECDSA are supported.
 type ECDSAWithSHA256Signer struct {

deployment/live/aws/test/.terraform.lock.hcl

@@ -0,0 +1,54 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.92.0"
+    }
+  }
+}
+
+# Configure the AWS Provider
+provider "aws" {
+  region = var.region
+}
+
+# Secrets Manager
+
+# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
+#
+# Security Notice
+# The private key generated by this resource will be stored unencrypted in your 
+# Terraform state file. Use of this resource for production deployments is not 
+# recommended.
+#
+# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
+resource "tls_private_key" "sctfe_ecdsa_p256" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}
+
+resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_public_key" {
+  name = "${var.base_name}-ecdsa-p256-public-key"
+
+  tags = {
+    label = "tesseract-public-key"
+  }
+}
+
+resource "aws_secretsmanager_secret_version" "sctfe_ecdsa_p256_public_key" {
+  secret_id = aws_secretsmanager_secret.sctfe_ecdsa_p256_public_key.id
+  secret_string = tls_private_key.sctfe_ecdsa_p256.public_key_pem
+}
+
+resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_private_key" {
+  name = "${var.base_name}-ecdsa-p256-private-key"
+
+  tags = {
+    label = "tesseract-private-key"
+  }
+}
+
+resource "aws_secretsmanager_secret_version" "sctfe_ecdsa_p256_private_key" {
+  secret_id = aws_secretsmanager_secret.sctfe_ecdsa_p256_private_key.id
+  secret_string = tls_private_key.sctfe_ecdsa_p256.private_key_pem
+}

deployment/modules/aws/secretsmanager/main.tf

@@ -0,0 +1,15 @@
+output "ecdsa_p256_public_key_id" {
+  description = "Signer public key (P256_SHA256)"
+  value       = aws_secretsmanager_secret.sctfe_ecdsa_p256_public_key.name
+}
+
+output "ecdsa_p256_public_key_data" {
+  description = "Signer public key (P256_SHA256) data from secret manager"
+  value       = aws_secretsmanager_secret_version.sctfe_ecdsa_p256_public_key.secret_string
+  sensitive   = true
+}
+
+output "ecdsa_p256_private_key_id" {
+  description = "Signer private key (P256_SHA256)"
+  value       = aws_secretsmanager_secret.sctfe_ecdsa_p256_private_key.name
+}

deployment/modules/aws/secretsmanager/outputs.tf

@@ -0,0 +1,9 @@
+variable "base_name" {
+  description = "Base name to use when naming resources"
+  type        = string
+}
+
+variable "region" {
+  description = "Region in which to create resources"
+  type        = string
+}

deployment/modules/aws/secretsmanager/variables.tf

@@ -10,3 +10,10 @@ module "storage" {
   region      = var.region
   ephemeral   = var.ephemeral
 }
+
+module "secretsmanager" {
+  source = "../../secretsmanager"
+
+  base_name = var.base_name
+  region    = var.region
+}

deployment/modules/aws/tesseract/test/main.tf

@@ -19,3 +19,13 @@ output "rds_aurora_cluster_master_user_secret" {
   value     = module.storage.rds_aurora_cluster_master_user_secret
   sensitive = true
 }
+
+output "ecdsa_p256_public_key_id" {
+  description = "Signer public key (P256_SHA256)"
+  value       = module.secretsmanager.ecdsa_p256_public_key_id
+}
+
+output "ecdsa_p256_private_key_id" {
+  description = "Signer private key (P256_SHA256)"
+  value       = module.secretsmanager.ecdsa_p256_private_key_id
+}

deployment/modules/aws/tesseract/test/outputs.tf

@@ -10,6 +10,7 @@ require (
 	github.com/aws/aws-sdk-go-v2 v1.36.3
 	github.com/aws/aws-sdk-go-v2/config v1.29.9
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.78.2
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.2
 	github.com/aws/smithy-go v1.22.3
 	github.com/gdamore/tcell/v2 v2.8.1
 	github.com/go-sql-driver/mysql v1.9.1

go.mod

@@ -678,6 +678,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15 h1:moLQUoVq91Liq
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.15/go.mod h1:ZH34PJUc8ApjBIfgQCFvkWcUDBtl/WTD+uiYHjd8igA=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.78.2 h1:jIiopHEV22b4yQP2q36Y0OmwLbsxNWdWwfZRR5QRRO4=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.78.2/go.mod h1:U5SNqwhXB3Xe6F47kXvWihPl/ilGaEDe8HD/50Z9wxc=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.2 h1:vlYXbindmagyVA3RS2SPd47eKZ00GZZQcr+etTviHtc=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.2/go.mod h1:yGhDiLKguA3iFJYxbrQkQiNzuy+ddxesSZYWVeeEH5Q=
 github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 h1:8JdC7Gr9NROg1Rusk25IcZeTO59zLxsKgE0gkh5O6h0=
 github.com/aws/aws-sdk-go-v2/service/sso v1.25.1/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 h1:KwuLovgQPcdjNMfFt9OhUd9a2OwcOKhxfvF4glTzLuA=