Deploying Timestamp authority in Airgap mode #415
Comments
|
I am not familiar with Vault deployments, but if the vault and key is accessible locally, you can specify the key starting with |
|
I created Cert chain (Root->intermediate->leaf) using opnessl. Now i imported the Leaf key crated before to hashicorp. openssl pkcs8 -topk8 -inform PEM -outform DER -in leafCA.key -out leafCA.pkcs8 -nocrypt base64 -i leafCA.pkcs8 >leafCA.base64 vault transit import transit/keys/tsaLeafkey @leafCA.base64 type=rsa-2048 I now configured the TSA to use the KMS as signer. ./timestamp-server serve --port=3000 --timestamp-signer=kms --kms-key-resource=hashivault://tsaLeafkey --certificate-chain-path=./TSAcertchain.crt --disable-ntp-monitoring=true i now followed the steps to create a TSQ, generate the TSR and verify it. ==== ==== |
|
Everything you’ve done seems correct. Are you able to inspect the tsq and tsr with OpenSSL? |
|
I was able to print the tsq and tsr in human readable from using openssl TST info: but when i tried to use the timestamp-cli to inspect the tsr it failed with validation error. i am attaching the logs and details for working filesigner case and not working kms signer case |
|
@haydentherapper did you find any error in the procedure i used for KMS based signer |
|
What's the hashing algorithm used with the key? One guess is if it's not sha256, then it'll fail. Everything you've specified seems correct, so you might need to step through verification and see at what point it's failing. |
|
The hashing algo used in sha256 only. As per the logs the verification is failing in the crypto library functions. i am not sure but what is see is that if we use the hashivault:// option the TSA try to get the key from the transit secret engine of the Hashicorp. now in the cert chain the public key is stored in the PEM format only. |
|
We are also looking for a way to deploy this locally with Vault. Looking forward to seeing if you can solve this @Mukuls77. |
|
Hi, I am running into the same issue. Looks like the signature algorithm is wrong. In https://github.com/sigstore/sigstore/blob/11bb41a30564029ec477dda566bba110d3a7b14b/pkg/signature/kms/hashivault/client.go#L278-L282 there is no signature algorithm specified, so Vault will use the default one, which is signResult, err := client.Write(fmt.Sprintf("/%s/sign/%s%s", h.transitSecretEnginePath, h.keyPath, hashString(alg)), map[string]interface{}{
"input": base64.StdEncoding.Strict().EncodeToString(digest),
"prehashed": alg != crypto.Hash(0),
"key_version": keyVersion,
+ "signature_algorithm": "pkcs1v15",
})I could make it work. However, with lacking the full understanding the code (especially since it is used by other packages too), I am not sure if this would break other things. Maybe somebody who is more fluent with it can help resolving this. EDIT: I observed similar behaviour with Fulcio and Rekor (Hopefully this problem will be resolved with sigstore/sigstore#1735 ). |
Question
We want to deploy Sigstore Timestamp authority in Airgap mode in which it will have no access to internet and external could providers. The query is that from available documentation Sigstore TSA can be deployed in production mode with cloud KMS as Key store. In that list we could see hashi corp vault is also an option provided. so can we deploy a local instance of hashi corp vault and integrate it with Sigstore TSA.
can you pls provide some more details on how we can integrate Sigstore TSA with locally deployed hashicorp vault.
The text was updated successfully, but these errors were encountered: