Adds verification key for Wasm module #177
Conversation
Signed-off-by: Asra Ali <[email protected]>
There was a problem hiding this comment.
I think the hardcoded key should stay (and take a priority if used), since for binary authorization we want to make sure that if Envoy is compiled with a given key, then only Wasm modules signed with that key could be loaded and nothing else (even if provided in configuration). Yes, this is "I'm paranoid" feature :)
src/signature_util.cc
Outdated
| static const auto ed25519_pubkey = hex2pubkey<32>(PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY); | ||
| char pubkey_char[65]; | ||
| strcpy(pubkey_char, pubkey.c_str()); | ||
| static const auto ed25519_pubkey = hex2pubkey<32>(pubkey_char); |
There was a problem hiding this comment.
This is static variable, so the first key used would persist forever and it would be used for all verifications, leading to false negatives.
Signed-off-by: Asra Ali <[email protected]>
|
Added some tests now for build time key precedence and no key present verification |
|
Oh one quick comment I just remembered: should the pubkey inputs be validated at all? Or should we trust these relatively because of it's a configuration value that's likely valid |
| @@ -88,3 +88,4 @@ jobs: | |||
| - name: Test (signed Wasm module) | |||
| run: | | |||
| bazel test --define runtime=${{ matrix.runtime }} --per_file_copt=//...@-DPROXY_WASM_VERIFY_WITH_ED25519_PUBKEY=\"$(xxd -p -c 256 test/test_data/signature_key1.pub | cut -b9-)\" //test:signature_util_test | |||
|
|
|||
There was a problem hiding this comment.
Style: unnecesary change / newline.
| @@ -345,8 +345,10 @@ using WasmHandleCloneFactory = | |||
| std::function<std::shared_ptr<WasmHandleBase>(std::shared_ptr<WasmHandleBase> wasm)>; | |||
|
|
|||
| // Returns nullptr on failure (i.e. initialization of the VM fails). | |||
| // TODO: Consider a VerificationOptions struct rather than a single pubkey. | |||
| @@ -27,7 +27,7 @@ class SignatureUtil { | |||
| * @param message is the reference to store the message (success or error). | |||
| * @return indicates whether the bytecode has a valid Wasm signature. | |||
| */ | |||
| static bool verifySignature(std::string_view bytecode, std::string &message); | |||
| static bool verifySignature(std::string_view bytecode, const std::string pubkey, std::string &message); | |||
There was a problem hiding this comment.
Style: clang-format warning (line too long).
| std::shared_ptr<WasmHandleBase> | ||
| createWasm(std::string vm_key, std::string code, std::shared_ptr<PluginBase> plugin, | ||
| createWasm(std::string vm_key, std::string code, std::string pubkey, | ||
| std::shared_ptr<PluginBase> plugin, |
There was a problem hiding this comment.
Style: clang-format warning (weird indent).
| @@ -463,6 +463,7 @@ WasmForeignFunction WasmBase::getForeignFunction(std::string_view function_name) | |||
| } | |||
|
|
|||
| std::shared_ptr<WasmHandleBase> createWasm(std::string vm_key, std::string code, | |||
| std::string pubkey, | |||
There was a problem hiding this comment.
Style: clang-format warning (should be in the previous line).
| @@ -249,9 +249,9 @@ bool WasmBase::load(const std::string &code, bool allow_precompiled) { | |||
| return true; | |||
| } | |||
|
|
|||
| // Verify signature. | |||
| // Verify signature if a pubkey is present. | |||
There was a problem hiding this comment.
| // Verify signature if a pubkey is present. | |
| // Verify signature if a public key is present (embedded at build-time or provided via pubkey). |
| @@ -24,36 +24,72 @@ | |||
|
|
|||
| namespace proxy_wasm { | |||
|
|
|||
| TEST(TestSignatureUtil, GoodSignature) { | |||
| std::string BytesToHex(std::vector<uint8_t> bytes) { | |||
There was a problem hiding this comment.
| std::string BytesToHex(std::vector<uint8_t> bytes) { | |
| static std::string bytesToHex(std::vector<uint8_t> bytes) { |
| return result; | ||
| } | ||
|
|
||
| static std::string publickey(std::string filename) { |
There was a problem hiding this comment.
| static std::string publickey(std::string filename) { | |
| static std::string publicKey(std::string filename) { |
| if (!pubkey.empty()) { | ||
| char pubkey_char[65]; | ||
| strcpy(pubkey_char, pubkey.c_str()); | ||
| return hex2pubkey<32>(pubkey_char); |
There was a problem hiding this comment.
hex2pubkey is a constexpr template written to decode hex literal at the build-time with zero-cost at runtime.
But if you have to copy all the bytes to use it, then it kind of misses the point, and it would be better to add hexstr2pubkey function that can decode it in a single pass (basically, a runtime equivalent of hex2pubkey).
DRAFT: I think the argument should be a VerificationOptions struct containing possibly more keys, a verification type, all/none specification.