Support grpc provider TLS

[salrashid123]

hi-

The GRPC key provder does not have the option of using TLS:

https://github.com/containers/ocicrypt/blob/main/keywrap/keyprovider/keyprovider.go#L171

It would be nice if there would be come configuration which allows for TLS settings such that you can utilize TLS (and more specifically basic mTLS).

the usecase is something like this:

if i run a kubernetes node as TEE where the node itself has mTLS certificates present by some other mean (by cloud provider, spiffee agent(?)), and one which has /usr/local/bin/ctd-decoder set to use ocicrypt grpc, I'd like to invoke encryption/decryption grpc calls over TLS which uses the client certs.

---

It looks like the existing keyprovider config just loads the grpc settings as a string (host:port) so there' isn't a straight forward, clean way to specify basic tls config values:

type KeyProviderAttrs struct {
	Command *Command `json:"cmd,omitempty"`
	Grpc    string   `json:"grpc,omitempty"`
}

not so great options would lead to breaking changes (eg, change Grpc from string to a json struct with a subset of tls.Config values or the Grpc string is a uri with host:port?key=value where key=value are the tls.Config stuff

[stefanberger]

not so great options would lead to breaking changes (eg, change Grpc from string to a json struct with a subset of tls.Config values or the Grpc string is a uri with host:port?key=value where key=value are the tls.Config stuff

I haven't looked at this... Would a new optional field TLSGrpc be a solution? It could hold the json struct you mention and be mutually exclusive with the existing Grpc.

[salrashid123]

yeah, that would work too. Just a very basic tls config with optional CA, mtls cert and keys from files would be ok?

something like this

{
  "key-providers": {
    "grpc-keyprovider": {
      "grpc": "ocicryptpqc-995081019036.us-central1.run.app:443",
      "grpc-tls": {
        "server-name": "ocicryptpqc-995081019036.us-central1.run.app",
        "insecure-skip-verify": false,
        "root-ca-file": "/etc/ssl/certs/ca-certificates.crt"
      }
    }
  }
}

diff --git a/config/keyprovider-config/config.go b/config/keyprovider-config/config.go
index 4785a83..f4605d5 100644
--- a/config/keyprovider-config/config.go
+++ b/config/keyprovider-config/config.go
@@ -29,10 +29,39 @@ type Command struct {
 	Args []string `json:"args,omitempty"`
 }
 
+// GrpcTLS describes the structure of TLS configuration for gRPC connection, it consist of CA certificate,
+// client certificate and client key
+type GrpcTLS struct {
+	// RootCAFile defines path to the PEM file with the set of root certificate authorities
+	// that clients use when verifying server certificates.
+	// If RootCAs is nil, TLS uses the host's root CA set.
+	RootCAFile string `json:"root-ca-file,omitempty"`
+
+	// CertFile contains the path to the x509 PEM encoded client certificate.
+	CertFile string `json:"cert-file,omitempty"`
+	// KeyFile contains the path to the PEM encoded client key.
+	KeyFile string `json:"key-file,omitempty"`
+
+	// ServerName is used to verify the hostname on the returned
+	// certificates unless InsecureSkipVerify is given. It is also included
+	// in the client's handshake to support virtual hosting unless it is
+	// an IP address.
+	ServerName string `json:"server-name,omitempty"`
+
+	// InsecureSkipVerify controls whether a client verifies the
+	// server's certificate chain and host name.
+	// If InsecureSkipVerify is true, TLS accepts any certificate
+	// presented by the server and any host name in that certificate.
+	// In this mode, TLS is susceptible to man-in-the-middle attacks.
+	// This should be used only for testing.
+	InsecureSkipVerify bool `json:"insecure-skip-verify,omitempty"`
+}
+
 // KeyProviderAttrs describes the structure of key provider, it defines the way of invocation to key provider
 type KeyProviderAttrs struct {
 	Command *Command `json:"cmd,omitempty"`
 	Grpc    string   `json:"grpc,omitempty"`
+	GrpcTLS *GrpcTLS `json:"grpc-tls,omitempty"`
 }
 
 // OcicryptConfig represents the format of an ocicrypt_provider.conf config file
diff --git a/keywrap/keyprovider/keyprovider.go b/keywrap/keyprovider/keyprovider.go
index 6ac0fcb..cccbb3a 100644
--- a/keywrap/keyprovider/keyprovider.go
+++ b/keywrap/keyprovider/keyprovider.go
@@ -18,9 +18,12 @@ package keyprovider
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"os"
 
 	"github.com/containers/ocicrypt/config"
 	keyproviderconfig "github.com/containers/ocicrypt/config/keyprovider-config"
@@ -29,6 +32,7 @@ import (
 	keyproviderpb "github.com/containers/ocicrypt/utils/keyprovider"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 )
 
 type keyProviderKeyWrapper struct {
@@ -118,14 +122,15 @@ func (kw *keyProviderKeyWrapper) WrapKeys(ec *config.EncryptConfig, optsData []b
 			}
 			return protocolOuput.KeyWrapResults.Annotation, nil
 		} else if kw.attrs.Grpc != "" {
-			protocolOuput, err := getProviderGRPCOutput(input, kw.attrs.Grpc, OpKeyWrap)
+			protocolOuput, err := getProviderGRPCOutput(input, kw.attrs.Grpc, kw.attrs.GrpcTLS, OpKeyWrap)
 			if err != nil {
 				return nil, fmt.Errorf("error while retrieving keyprovider protocol grpc output: %w", err)
 			}
 
 			return protocolOuput.KeyWrapResults.Annotation, nil
+		} else {
+			return nil, errors.New("Unsupported keyprovider invocation. Supported invocation methods are grpc and cmd")
 		}
-		return nil, errors.New("Unsupported keyprovider invocation. Supported invocation methods are grpc and cmd")
 	}
 
 	return nil, nil
@@ -154,23 +159,68 @@ func (kw *keyProviderKeyWrapper) UnwrapKey(dc *config.DecryptConfig, jsonString
 
 		return protocolOuput.KeyUnwrapResults.OptsData, nil
 	} else if kw.attrs.Grpc != "" {
-		protocolOuput, err := getProviderGRPCOutput(input, kw.attrs.Grpc, OpKeyUnwrap)
+		protocolOuput, err := getProviderGRPCOutput(input, kw.attrs.Grpc, kw.attrs.GrpcTLS, OpKeyUnwrap)
 		if err != nil {
 			// If err is not nil, then ignore it and continue with rest of the given keyproviders
 			return nil, err
 		}
 
 		return protocolOuput.KeyUnwrapResults.OptsData, nil
+	} else {
+		return nil, errors.New("Unsupported keyprovider invocation. Supported invocation methods are grpc and cmd")
 	}
-	return nil, errors.New("Unsupported keyprovider invocation. Supported invocation methods are grpc and cmd")
 }
 
-func getProviderGRPCOutput(input []byte, connString string, operation KeyProviderKeyWrapProtocolOperation) (*KeyProviderKeyWrapProtocolOutput, error) {
+func getProviderGRPCOutput(input []byte, connString string, grpcTls *keyproviderconfig.GrpcTLS, operation KeyProviderKeyWrapProtocolOperation) (*KeyProviderKeyWrapProtocolOutput, error) {
 	var protocolOuput KeyProviderKeyWrapProtocolOutput
 	var grpcOutput *keyproviderpb.KeyProviderKeyWrapProtocolOutput
-	cc, err := grpc.Dial(connString, grpc.WithInsecure())
-	if err != nil {
-		return nil, fmt.Errorf("error while dialing rpc server: %w", err)
+
+	var cc *grpc.ClientConn
+	var err error
+
+	var rootCAs *x509.CertPool
+	if grpcTls != nil {
+		if grpcTls.RootCAFile != "" {
+			rootCAs = x509.NewCertPool()
+			pem, err := os.ReadFile(grpcTls.RootCAFile)
+			if err != nil {
+				return nil, fmt.Errorf("failed to load root CA certificates  error=%v", err)
+			}
+			if !rootCAs.AppendCertsFromPEM(pem) {
+				return nil, fmt.Errorf("no root CA certs parsed from file ")
+			}
+		} else {
+			rootCAs, err = x509.SystemCertPool()
+			if err != nil {
+				rootCAs = x509.NewCertPool()
+			}
+		}
+
+		var clientCerts []tls.Certificate
+		if grpcTls.CertFile != "" && grpcTls.KeyFile != "" {
+			cert, err := tls.LoadX509KeyPair(grpcTls.CertFile, grpcTls.KeyFile)
+			if err != nil {
+				return nil, fmt.Errorf("failed to load client certificate and key: %v", err)
+			}
+			clientCerts = []tls.Certificate{cert}
+		}
+
+		tlsConfig := &tls.Config{
+			RootCAs:            rootCAs,
+			ServerName:         grpcTls.ServerName,
+			InsecureSkipVerify: grpcTls.InsecureSkipVerify,
+			Certificates:       clientCerts,
+		}
+		creds := credentials.NewTLS(tlsConfig)
+		cc, err = grpc.Dial(connString, grpc.WithTransportCredentials(creds))
+		if err != nil {
+			return nil, fmt.Errorf("error while dialing TLS rpc server: %w", err)
+		}
+	} else {
+		cc, err = grpc.Dial(connString, grpc.WithInsecure())
+		if err != nil {
+			return nil, fmt.Errorf("error while dialing rpc server: %w", err)
+		}
 	}
 	defer func() {
 		derr := cc.Close()

[stefanberger]

looks good to me.

[salrashid123]

@stefanberger submitted PR #128 PTAL

verified TLS and mTLS against a sample grpc server here

• https://github.com/salrashid123/ocicrypt-pqc-keyprovider/tree/main/grpc

as well as a grpc server deployed on cloud run which uses the default system ca certs for plain tls

[stefanberger]

Btw, are you going to be using this with imgcrypt? It would be good to have this type of sample RPC server with TLS there as well for testing.

[salrashid123]

sure, i can submit pr for imgcrypt which includes an rpc server and how to configure TLS.

Maybe an end-to-end with minikube too like this

https://github.com/salrashid123/ocicrypt-pqc-keyprovider/tree/main?tab=readme-ov-file#minikube

but modified to use grpc TLS (or mtls) and provide a reference to how spifie cert provisioning
https://spiffe.io/docs/latest/deploying/configuring/#x509-certificate