Add support for Tink keyset signer

haydentherapper · haydentherapper · commit 922bc568fba2 · 2025-04-23T17:08:36.000-07:00
This PR adds support for in-memory signing using a Tink keyset. The
keyset is encrypted with a key-encryption-key stored in GCP KMS. The key
is decrypted on startup and loaded into memory. This uses a utility to
unpack the keyset into a crypto.Signer so that it can be used to sign
certificates. This also validates that the key is an ECDSA P-256 key as
per RFC 6962, since Tink supports many key types.

Signed-off-by: Hayden B &lt;8418760+haydentherapper@users.noreply.github.com&gt;
diff --git a/cmd/gcp/main.go b/cmd/gcp/main.go
@@ -17,6 +17,7 @@ package main
 
 import (
 	"context"
+	"crypto"
 	"errors"
 	"flag"
 	"fmt"
@@ -62,6 +63,8 @@ var (
 	signerPublicKeySecretName  = flag.String("signer_public_key_secret_name", "", "Public key secret name for checkpoints and SCTs signer. Format: projects/{projectId}/secrets/{secretName}/versions/{secretVersion}.")
 	signerPrivateKeySecretName = flag.String("signer_private_key_secret_name", "", "Private key secret name for checkpoints and SCTs signer. Format: projects/{projectId}/secrets/{secretName}/versions/{secretVersion}.")
 	traceFraction              = flag.Float64("trace_fraction", 0, "Fraction of open-telemetry span traces to sample")
+	signerTinkKekUri           = flag.String("signer-tink-kek-uri", "", "Encryption key for decrypting Tink keyset. Format: gcp-kms://projects/{projectId}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{cryptoKey}/cryptoKeyVersions/{version}")
+	signerTinkKeysetFile       = flag.String("signer-tink-keyset-path", "", "Path to encrypted Tink keyset")
 )
 
 // nolint:staticcheck
@@ -73,9 +76,22 @@ func main() {
 	shutdownOTel := initOTel(ctx, *traceFraction, *origin)
 	defer shutdownOTel(ctx)
 
-	signer, err := NewSecretManagerSigner(ctx, *signerPublicKeySecretName, *signerPrivateKeySecretName)
-	if err != nil {
-		klog.Exitf("Can't create secret manager signer: %v", err)
+	var signer crypto.Signer
+	var err error
+	if *signerPrivateKeySecretName != "" && *signerPublicKeySecretName != "" {
+		signer, err = NewSecretManagerSigner(ctx, *signerPublicKeySecretName, *signerPrivateKeySecretName)
+		if err != nil {
+			klog.Exitf("Can't create secret manager signer: %v", err)
+		}
+	}
+	if *signerTinkKekUri != "" && *signerTinkKeysetFile != "" {
+		signer, err = NewTinkSignerVerifier(ctx, *signerTinkKekUri, *signerTinkKeysetFile)
+		if err != nil {
+			klog.Exitf("Can't initialize Tink signer: %v", err)
+		}
+	}
+	if signer == nil {
+		klog.Exit("Signer not initialized, provide either a key either in GCP Secret Manager or a GCP KMS-encrypted Tink keyset")
 	}
 
 	chainValidationConfig := tesseract.ChainValidationConfig{
diff --git a/cmd/gcp/tink.go b/cmd/gcp/tink.go
@@ -0,0 +1,87 @@
+// Copyright 2025 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package main
+
+import (
+	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	tinkUtils "github.com/sigstore/sigstore/pkg/signature/tink"
+	"github.com/tink-crypto/tink-go-gcpkms/v2/integration/gcpkms"
+	"github.com/tink-crypto/tink-go/v2/core/registry"
+	"github.com/tink-crypto/tink-go/v2/keyset"
+	"github.com/tink-crypto/tink-go/v2/tink"
+)
+
+const TinkScheme = "tink"
+
+// NewTinkSignerVerifier returns a crypto.Signer. Only ECDSA P-256 is supported.
+// Provide a path to the encrypted keyset and GCP KMS key URI for decryption.
+func NewTinkSignerVerifier(ctx context.Context, kekURI, keysetPath string) (crypto.Signer, error) {
+	if kekURI == "" || keysetPath == "" {
+		return nil, fmt.Errorf("key encryption key URI or keyset path unset")
+	}
+	kek, err := getKeyEncryptionKey(ctx, kekURI)
+	if err != nil {
+		return nil, err
+	}
+
+	f, err := os.Open(filepath.Clean(keysetPath))
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	kh, err := keyset.Read(keyset.NewJSONReader(f), kek)
+	if err != nil {
+		return nil, err
+	}
+	signer, _, err := tinkUtils.KeyHandleToSigner(kh)
+	if err != nil {
+		return nil, err
+	}
+
+	// validate that key is ECDSA P-256
+	pub, ok := signer.Public().(*ecdsa.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("key must be ECDSA")
+	}
+	if pub.Curve != elliptic.P256() {
+		return nil, fmt.Errorf("elliptic curve must be P-256, was %s", pub.Curve.Params().Name)
+	}
+
+	return signer, err
+}
+
+// getKeyEncryptionKey returns a Tink AEAD encryption key from KMS
+func getKeyEncryptionKey(ctx context.Context, kmsKey string) (tink.AEAD, error) {
+	switch {
+	case strings.HasPrefix(kmsKey, "gcp-kms://"):
+		gcpClient, err := gcpkms.NewClientWithOptions(ctx, kmsKey)
+		if err != nil {
+			return nil, err
+		}
+		registry.RegisterKMSClient(gcpClient)
+		return gcpClient.GetAEAD(kmsKey)
+	default:
+		return nil, fmt.Errorf("unsupported KMS key type for key %s", kmsKey)
+	}
+}
diff --git a/go.mod b/go.mod
@@ -19,6 +19,9 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/kylelemons/godebug v1.1.0
 	github.com/rivo/tview v0.0.0-20240625185742-b0a7293b8130
+	github.com/sigstore/sigstore v1.9.3
+	github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0
+	github.com/tink-crypto/tink-go/v2 v2.4.0
 	github.com/transparency-dev/formats v0.0.0-20250414062418-2207ab4ca61e
 	github.com/transparency-dev/merkle v0.0.2
 	github.com/transparency-dev/trillian-tessera v0.1.2-0.20250417180933-3f459e774877
@@ -72,18 +75,25 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/gdamore/encoding v1.0.1 // indirect
 	github.com/globocom/go-buffer v1.2.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
+	github.com/google/go-containerregistry v0.20.3 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
+	github.com/sigstore/protobuf-specs v0.4.1 // indirect
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
@@ -100,4 +110,5 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20250414145226-207652e42e2e // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
