Adds crypto/spiffe

Adds spiffe package to crypto. This is a refactored version of the existing `pkg/security` package. This new package is more modulated and fuller test coverage. This package has been moved so that it can be both imported by dapr & components-contrib, as well as making the package more suitable for further development to support X.509 Component auth. dapr/proposals#51 Also moves in `test/utils` from dapr to `crypto/test` for shared usage. Signed-off-by: joshvanl <[email protected]>
JoshVanL · Apr 3, 2024 · 969bdc7 · 969bdc7
1 parent e33fbab
commit 969bdc7
Show file tree

Hide file tree

Showing 13 changed files with 2,042 additions and 51 deletions.
diff --git a/crypto/pem/pem.go b/crypto/pem/pem.go
@@ -0,0 +1,189 @@
+/*
+Copyright 2023 The Dapr Authors
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pem
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+)
+
+// DecodePEMCertificatesChain takes a PEM-encoded x509 certificates byte array
+// and returns all certificates in a slice of x509.Certificate objects.
+// Expects certificates to be a chain with leaf certificate to be first in the
+// byte array.
+func DecodePEMCertificatesChain(crtb []byte) ([]*x509.Certificate, error) {
+	certs, err := DecodePEMCertificates(crtb)
+	if err != nil {
+		return nil, err
+	}
+
+	for i := 0; i < len(certs)-1; i++ {
+		if certs[i].CheckSignatureFrom(certs[i+1]) != nil {
+			return nil, errors.New("certificate chain is not valid")
+		}
+	}
+
+	return certs, nil
+}
+
+// DecodePEMCertificatesChain takes a PEM-encoded x509 certificates byte array
+// and returns all certificates in a slice of x509.Certificate objects.
+func DecodePEMCertificates(crtb []byte) ([]*x509.Certificate, error) {
+	certs := []*x509.Certificate{}
+	for len(crtb) > 0 {
+		var err error
+		var cert *x509.Certificate
+
+		cert, crtb, err = decodeCertificatePEM(crtb)
+		if err != nil {
+			return nil, err
+		}
+		if cert != nil {
+			// it's a cert, add to pool
+			certs = append(certs, cert)
+		}
+	}
+
+	if len(certs) == 0 {
+		return nil, errors.New("no certificates found")
+	}
+
+	return certs, nil
+}
+
+func decodeCertificatePEM(crtb []byte) (*x509.Certificate, []byte, error) {
+	block, crtb := pem.Decode(crtb)
+	if block == nil {
+		return nil, nil, nil
+	}
+	if block.Type != "CERTIFICATE" {
+		return nil, nil, nil
+	}
+	c, err := x509.ParseCertificate(block.Bytes)
+	return c, crtb, err
+}
+
+// DecodePEMPrivateKey takes a key PEM byte array and returns an object that
+// represents either an RSA or EC private key.
+func DecodePEMPrivateKey(key []byte) (crypto.Signer, error) {
+	block, _ := pem.Decode(key)
+	if block == nil {
+		return nil, errors.New("key is not PEM encoded")
+	}
+
+	switch block.Type {
+	case "EC PRIVATE KEY":
+		return x509.ParseECPrivateKey(block.Bytes)
+	case "RSA PRIVATE KEY":
+		return x509.ParsePKCS1PrivateKey(block.Bytes)
+	case "PRIVATE KEY":
+		key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, err
+		}
+		return key.(crypto.Signer), nil
+	default:
+		return nil, fmt.Errorf("unsupported block type %s", block.Type)
+	}
+}
+
+// EncodePrivateKey will encode a private key into PEM format.
+func EncodePrivateKey(key any) ([]byte, error) {
+	var (
+		keyBytes  []byte
+		err       error
+		blockType string
+	)
+
+	switch key := key.(type) {
+	case *ecdsa.PrivateKey, *ed25519.PrivateKey:
+		keyBytes, err = x509.MarshalPKCS8PrivateKey(key)
+		if err != nil {
+			return nil, err
+		}
+		blockType = "PRIVATE KEY"
+	default:
+		return nil, fmt.Errorf("unsupported key type %T", key)
+	}
+
+	return pem.EncodeToMemory(&pem.Block{
+		Type: blockType, Bytes: keyBytes,
+	}), nil
+}
+
+// EncodeX509 will encode a single *x509.Certificate into PEM format.
+func EncodeX509(cert *x509.Certificate) ([]byte, error) {
+	caPem := bytes.NewBuffer([]byte{})
+	err := pem.Encode(caPem, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
+	if err != nil {
+		return nil, err
+	}
+
+	return caPem.Bytes(), nil
+}
+
+// EncodeX509Chain will encode a list of *x509.Certificates into a PEM format chain.
+// Self-signed certificates are not included as per
+// https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.2
+// Certificates are output in the order they're given; if the input is not ordered
+// as specified in RFC5246 section 7.4.2, the resulting chain might not be valid
+// for use in TLS.
+func EncodeX509Chain(certs []*x509.Certificate) ([]byte, error) {
+	if len(certs) == 0 {
+		return nil, errors.New("no certificates in chain")
+	}
+
+	certPEM := bytes.NewBuffer([]byte{})
+	for _, cert := range certs {
+		if cert == nil {
+			continue
+		}
+
+		if cert.CheckSignatureFrom(cert) == nil {
+			// Don't include self-signed certificate
+			continue
+		}
+
+		err := pem.Encode(certPEM, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return certPEM.Bytes(), nil
+}
+
+// PublicKeysEqual compares two given public keys for equality.
+// The definition of "equality" depends on the type of the public keys.
+// Returns true if the keys are the same, false if they differ or an error if
+// the key type of `a` cannot be determined.
+func PublicKeysEqual(a, b crypto.PublicKey) (bool, error) {
+	switch pub := a.(type) {
+	case *rsa.PublicKey:
+		return pub.Equal(b), nil
+	case *ecdsa.PublicKey:
+		return pub.Equal(b), nil
+	case ed25519.PublicKey:
+		return pub.Equal(b), nil
+	default:
+		return false, fmt.Errorf("unrecognised public key type: %T", a)
+	}
+}
diff --git a/crypto/spiffe/spiffe.go b/crypto/spiffe/spiffe.go
@@ -0,0 +1,182 @@
+/*
+Copyright 2024 The Dapr Authors
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package spiffe
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/spiffe/go-spiffe/v2/svid/x509svid"
+	"k8s.io/utils/clock"
+
+	"github.com/dapr/kit/logger"
+)
+
+type (
+	RequestSVIDFn func(context.Context, []byte) ([]*x509.Certificate, error)
+)
+
+type Options struct {
+	Log           logger.Logger
+	RequestSVIDFn RequestSVIDFn
+}
+
+// SPIFFE is a readable/writeable store of a SPIFFE X.509 SVID.
+// Used to manage a workload SVID, and share read-only interfaces to consumers.
+type SPIFFE struct {
+	currentSVID   *x509svid.SVID
+	requestSVIDFn RequestSVIDFn
+
+	log     logger.Logger
+	lock    sync.RWMutex
+	clock   clock.Clock
+	running atomic.Bool
+	readyCh chan struct{}
+}
+
+func New(opts Options) *SPIFFE {
+	return &SPIFFE{
+		requestSVIDFn: opts.RequestSVIDFn,
+		log:           opts.Log,
+		clock:         clock.RealClock{},
+		readyCh:       make(chan struct{}),
+	}
+}
+
+func (s *SPIFFE) Run(ctx context.Context) error {
+	if !s.running.CompareAndSwap(false, true) {
+		return errors.New("already running")
+	}
+
+	s.lock.Lock()
+	s.log.Info("Fetching initial identity certificate")
+	initialCert, err := s.fetchIdentityCertificate(ctx)
+	if err != nil {
+		close(s.readyCh)
+		s.lock.Unlock()
+		return fmt.Errorf("failed to retrieve the initial identity certificate: %w", err)
+	}
+
+	s.currentSVID = initialCert
+	close(s.readyCh)
+	s.lock.Unlock()
+
+	s.log.Infof("Security is initialized successfully")
+	s.runRotation(ctx)
+
+	return nil
+}
+
+// Ready blocks until SPIFFE is ready or the context is done which will return
+// the context error.
+func (s *SPIFFE) Ready(ctx context.Context) error {
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-s.readyCh:
+		return nil
+	}
+}
+
+// runRotation starts up the manager responsible for renewing the workload
+// certificate. Receives the initial certificate to calculate the next rotation
+// time.
+func (s *SPIFFE) runRotation(ctx context.Context) {
+	defer s.log.Debug("stopping workload cert expiry watcher")
+	s.lock.RLock()
+	cert := s.currentSVID.Certificates[0]
+	s.lock.RUnlock()
+	renewTime := renewalTime(cert.NotBefore, cert.NotAfter)
+	s.log.Infof("Starting workload cert expiry watcher; current cert expires on: %s, renewing at %s",
+		cert.NotAfter.String(), renewTime.String())
+
+	for {
+		select {
+		case <-s.clock.After(min(time.Minute, renewTime.Sub(s.clock.Now()))):
+			if s.clock.Now().Before(renewTime) {
+				continue
+			}
+			s.log.Infof("Renewing workload cert; current cert expires on: %s", cert.NotAfter.String())
+			svid, err := s.fetchIdentityCertificate(ctx)
+			if err != nil {
+				s.log.Errorf("Error renewing identity certificate, trying again in 10 seconds: %s", err)
+				select {
+				case <-s.clock.After(10 * time.Second):
+					continue
+				case <-ctx.Done():
+					return
+				}
+			}
+			s.lock.Lock()
+			s.currentSVID = svid
+			cert = svid.Certificates[0]
+			s.lock.Unlock()
+			renewTime = renewalTime(cert.NotBefore, cert.NotAfter)
+			s.log.Infof("Successfully renewed workload cert; new cert expires on: %s", cert.NotAfter.String())
+
+		case <-ctx.Done():
+			return
+		}
+	}
+}
+
+// fetchIdentityCertificate fetches a new SVID using the configured requester.
+func (s *SPIFFE) fetchIdentityCertificate(ctx context.Context) (*x509svid.SVID, error) {
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate private key: %w", err)
+	}
+
+	csrDER, err := x509.CreateCertificateRequest(rand.Reader, new(x509.CertificateRequest), key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create sidecar csr: %w", err)
+	}
+
+	workloadcert, err := s.requestSVIDFn(ctx, csrDER)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(workloadcert) == 0 {
+		return nil, errors.New("no certificates received from sentry")
+	}
+
+	spiffeID, err := x509svid.IDFromCert(workloadcert[0])
+	if err != nil {
+		return nil, fmt.Errorf("error parsing spiffe id from newly signed certificate: %w", err)
+	}
+
+	return &x509svid.SVID{
+		ID:           spiffeID,
+		Certificates: workloadcert,
+		PrivateKey:   key,
+	}, nil
+}
+
+func (s *SPIFFE) SVIDSource() x509svid.Source {
+	return &svidSource{spiffe: s}
+}
+
+// renewalTime is 50% through the certificate validity period.
+func renewalTime(notBefore, notAfter time.Time) time.Time {
+	return notBefore.Add(notAfter.Sub(notBefore) / 2)
+}