Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add FIPS support #828

Merged
merged 3 commits into from
Oct 1, 2024
Merged

Add FIPS support #828

merged 3 commits into from
Oct 1, 2024

Conversation

ginglis13
Copy link
Contributor

@ginglis13 ginglis13 commented Sep 26, 2024
edited
Loading

Issue #, if available:

Description of changes:

  • add a fips feature to all crates in this project for toggling on/off fips features in dependent crates
  • explicitly install a default CryptoProvider before constructing a reqwest HTTP client
  • update reqwest to 0.12

This change is dependent on #826 (rustls upgrade included there: https://github.com/smithy-lang/smithy-rs/blob/37c1cc0b31fa85057bd294707bdc88d7bc91d627/rust-runtime/aws-smithy-experimental/Cargo.toml#L25-L26)

Testing

  • make integ
  • use a fips tuftool to pull down Bottlerocket TUF repos
$ cargo install --path tuftool --all-features
$ wget https://updates.bottlerocket.aws/2020-07-07/aws-k8s-1.30/aarch64/6.root.json
$ tuftool download -r 6.root.json \
  --targets-url https://updates.bottlerocket.aws/targets \
  --metadata-url https://updates.bottlerocket.aws/2020-07-07/aws-k8s-1.30/aarch64/ \
  test-fips-tuftool
...
        -> bottlerocket-aws-k8s-1.30-aarch64-1.21.1-82691b51-root.verity.lz4
        -> bottlerocket-aws-k8s-1.30-aarch64-v1.20.4-data.img.lz4
  • test fips tuftool against NGINX server using FIPS, and non-FIPS, ciphers, ensure success/failure
  1. $ cargo install --path tuftool --all-features
  2. Start an nginx server with the default configuration, with this minor addition:
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
  1. Create a basic TUF repo:
ALIAS_SUFFIX=$(date "+%Y-%m-%d")

# Simple script to create RSA 3072 KMS keys
SCRIPT_PATH=create-new-kms-key.sh
$SCRIPT_PATH alias/bottlerocket-root-${ALIAS_SUFFIX}
$SCRIPT_PATH alias/bottlerocket-publication-${ALIAS_SUFFIX}                                                                                                                                                                                      $SCRIPT_PATH alias/bottlerocket-timestamp-${ALIAS_SUFFIX}

tuftool root init --version 1 1.root.json

expiration_date=$(date -d "${ALIAS_SUFFIX} + 1 year" --iso-8601=date -u)T00:00:00+00:00

tuftool root expire 1.root.json ${expiration_date}

tuftool root set-threshold 1.root.json root 1
tuftool root set-threshold 1.root.json snapshot 1
tuftool root set-threshold 1.root.json targets 1
tuftool root set-threshold 1.root.json timestamp 1

 # Add keys                                                                                                                                                                                                                                                     
tuftool root add-key 1.root.json \
  -k aws-kms://default/alias/bottlerocket-root-${ALIAS_SUFFIX} \
  -r root

tuftool root add-key 1.root.json \
  -k aws-kms://default/alias/bottlerocket-publication-${ALIAS_SUFFIX} \
   -r snapshot -r targets -r timestamp

tuftool root add-key 1.root.json \
  -k aws-kms://default/alias/bottlerocket-timestamp-${ALIAS_SUFFIX} \
  -r timestamp

# Sign
tuftool root sign 1.root.json \
  -k aws-kms://default/alias/bottlerocket-root-${ALIAS_SUFFIX}

mkdir empty
tuftool create \
    -t empty --outdir out --root 1.root.json \
    -k aws-kms://default/alias/bottlerocket-publication-${ALIAS_SUFFIX} \
    --snapshot-expires 'in 7 days' --snapshot-version $(date +%s) \
    --targets-expires 'in 7 days' --targets-version $(date +%s) \
    --timestamp-expires 'in 7 days' --timestamp-version $(date +%s)
  1. Serve the TUF repo via local nginx server:
sudo cp -r out/metadata /usr/share/nginx/html
sudo cp -r out/targets /usr/share/nginx/html

  1. Follow https://www.baeldung.com/openssl-self-signed-cert to add a self signed cert for the HTTPS endpoint of the NGINX server. sudo trust anchor --store rootCA.crt to add it to local trust store.

  2. Ensure failure to download the repo, since TLS_CHACHA20_POLY1305_SHA256 is a non-FIPS ciphersuite:

 tuftool download -r 1.root.json \
    --targets-url https://localhost/targets  \
    --metadata-url https://localhost/metadata 
    test-nginx

  1. Remove ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256; and replace with ssl_ciphers 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL'; (which is from the openSSL wiki on FIPS: https://wiki.openssl.org/index.php/FIPS_mode_and_TLS)

  2. rerun 6. and ensure success

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@ginglis13
Copy link
Contributor Author

^ force pushes have been for CI. I split out fips integ testing to its own Makefile rule such that it can be skipped on the macOS platform, and I'm attempting a different approach for pulling in the NASM dep for Windows testing.

@ginglis13
Copy link
Contributor Author

^ use ilammy/setup-nasm@v1 (as aws-lc-rs does: https://github.com/aws/aws-lc-rs/blob/4d5cf823b20b12f24ef2fb079bdf7833f7ff96c1/.github/workflows/fips.yml#L76C7-L76C35)

@ginglis13
Copy link
Contributor Author

^ remove redundant default feature from fips feature in tuftool

@ginglis13
feature: add a 'fips' feature to crates
af6a909 
add a 'fips' feature to tough crates to enable toggling fips enforcement
on crate dependencies. Remove the prebuilt-nasm feature in favor of
allowing downstream consumers to set this feature if needed; use
setup-nasm in CI for windows integ testing and split out integ
testing fips to a new Makefile rule such that it can be skipped in macos
testing

Signed-off-by: Gavin Inglis <[email protected]>
@ginglis13
Copy link
Contributor Author

^ rebase off of #826

@ginglis13 ginglis13 marked this pull request as ready for review September 28, 2024 00:44
@ginglis13 ginglis13 marked this pull request as draft September 28, 2024 00:45
@ginglis13
tuftool: install default CryptoProvider for HTTP client
f501c0f 
when building the tuftool HTTP client, install the aws_lc_rs default
CryptoProvider if none is set yet. This is to ensure that a
CryptoProvider for rustls is set before proceeded with HTTP methods.

Signed-off-by: Gavin Inglis <[email protected]>
@ginglis13
Copy link
Contributor Author

ginglis13 commented Sep 30, 2024
edited
Loading

^ force push moves CryptoProvider installation to Default impl of HttpTransportBuilder to be as early in the process as possible; also add a commit to bump reqwest and httptest

Moving out of draft; the steps I took to do some additional manual testing are in the overview of this PR

@ginglis13
Copy link
Contributor Author

^ force push bumps reqwest in deny.toml for license checks

@ginglis13 ginglis13 marked this pull request as ready for review September 30, 2024 22:35
jpculp
jpculp reviewed Oct 1, 2024
View reviewed changes
deny.toml Outdated Show resolved Hide resolved
@ginglis13
deps: bump reqwest to 0.12, httptest to 0.16
680cc11 
Bump reqwest to 0.12 as a prerequisite for FIPS support.
@ginglis13
Copy link
Contributor Author

^ more fine-grained skip-tree entries for license checks

@ginglis13 ginglis13 merged commit 5619bb1 into awslabs:develop Oct 1, 2024
9 checks passed
@ginglis13 ginglis13 mentioned this pull request Oct 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

@jpculp jpculp jpculp approved these changes

@bcressey bcressey bcressey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ginglis13 @bcressey @jpculp @arnaldo2792