Merge pull request #144 from microsoft/beejones/akv-signing

beejones · web-flow · commit 164d8b7042a8 · 2024-10-04T16:02:29.000+02:00
Sign proposals with AKV
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ jobs:
             scripts/set_python_env.sh && pip install -r requirements.txt && make demo && npm run test
         env:
           KMS_WORKSPACE: ./workspace
-  
+
   test-mccf-kms:
     runs-on: ubuntu-20.04
     steps:
diff --git a/docs/Create_new_akv_member_key.md b/docs/Create_new_akv_member_key.md
@@ -0,0 +1,23 @@
+# Create new AKV member key
+## Create AKV certificate
+Use the script:
+```
+scripts/create_member_cert_akv.sh \
+    -v  name of the vault \
+    -c  name of the certificate \
+    -rg resource group name where vault is resident
+    -l  location  where vault is resident e.g. westeurope
+    -mi name of the managed identity to access the ceritificate
+```
+The user needs to be owner of the subscription with role activated in order to create the key and the roles.
+## Test the certificate
+Doing a signature proves that the managed identity has access to the AKV certificate
+```
+export AKV_VAULT_NAME="<vault name>"
+export AKV_CERTIFICATE_NAME="<certifcate name>>"
+export AKV_CERTIFICATE_VERSION="<certificate version>"
+export AKV_KID="https://$AKV_VAULT_NAME.vault.azure.net/keys/$AKV_CERTIFICATE_NAME/$AKV_CERTIFICATE_VERSION"  # use keys instead of certifcates for signing
+echo $AKV_KID
+
+curl "$AKV_KID/sign?api-version=7.4" -H "Authorization: $AKV_AUTHORIZATION" -H "Content-type: application/json" -d '{"alg": "ES384",  "value": "AQIDBAUGBwgJCgECAwQFBgcICQoBAgMEBQYHCAkKAQIDBAUGBwgJCgECAwQFBgcI"}'
+```
diff --git a/docs/Deploy_to_mCCF_using_AKV_member_key.md b/docs/Deploy_to_mCCF_using_AKV_member_key.md
@@ -0,0 +1,40 @@
+# Deploy to mCCF using AKV member key
+## Get service cert
+```
+export KEYS_DIR=vol
+cd $KEYS_DIR
+export CCF_NAME=<name of mCCF instance>
+export KMS_URL=https://${CCF_NAME}.confidential-ledger.azure.com
+export identityurl=https://identity.confidential-ledger.core.azure.com/ledgerIdentity/${CCF_NAME}
+curl $identityurl | jq ' .ledgerTlsCertificate' | xargs echo -e > service_cert.pem
+```
+## Set AKV env variables
+```
+export AKV_VAULT_NAME="<akv NAME>"
+export AKV_CERTIFICATE_NAME="name of the cert"
+export AKV_CERTIFICATE_VERSION="<version of certificate>"
+export AKV_KID="https://$AKV_VAULT_NAME.vault.azure.net/certificates/$AKV_CERTIFICATE_NAME/$AKV_CERTIFICATE_VERSION"
+echo $AKV_KID
+export AKV_AUTHORIZATION="Bearer ey..."
+```
+## Retrieve all members of KMS
+```
+curl $KMS_URL/gov/members --cacert service_cert.pem | jq
+```
+## Set custom constitution
+```
+./scripts/submit_constitution.sh --network-url $KMS_URL --certificate-dir  $KEYS_DIR --custom-constitution ./governance/constitution/kms_actions.js --member-count 1
+```
+## Deploy
+
+```
+make deploy
+```
+## Propose and vote new key release policy, settings, jwt policy and create first key
+```
+make setup
+```
+# List public keys
+```
+curl ${KMS_URL}/app/listpubkeys  --cacert $KEYS_DIR/service_cert.pem  -H "Content-Type: application/json" -i  -w '\n'
+```
diff --git a/docs/Signing_a_proposal_using_AKV_certificate.md b/docs/Signing_a_proposal_using_AKV_certificate.md
@@ -0,0 +1,29 @@
+# Signing a proposal using AKV certificate
+
+## Env variables
+
+For production environments we need to sign proposals with an Azure Key Vault (AKV) key.
+The script submit_proposal will test if the env variable AKV_KID and AKV_AUTHORIZATION are defined. If these are defined, the script will sign the proposal with the AKV key.
+
+Setting AKV_KID:
+
+```
+export AKV_VAULT_NAME="<akv NAME>"
+export AKV_CERTIFICATE_NAME="name of the cert"
+export AKV_CERTIFICATE_VERSION="<version of certificate>"
+export AKV_KID="https://$AKV_VAULT_NAME.vault.azure.net/certificates/$AKV_CERTIFICATE_NAME/$AKV_CERTIFICATE_VERSION"
+echo $AKV_KID
+```
+
+AKV_AUTHORIZATION is defined as "Bearer ey...". The token is a managed identity which has access to do signatures with the certificate.
+
+If these two env variables are not set, submit_proposal will use a local key stored in the workspace directory. When set, signing will be done on AKV.
+
+## Submit proposal using AKV
+
+export AKV_AUTHORIZATION as managed identity. Format "Bearer ey.."
+export AKV_KID points to the AKV certificate
+
+```
+scripts/submit_proposal.sh  --network_url $KMS_URL --certificate_dir $KEYS_DIR --proposal_file governance/policies/settings-policy.json
+```
diff --git a/docs/Using_mCCF_with_AKV_member_key b/docs/Using_mCCF_with_AKV_member_key
@@ -0,0 +1,23 @@
+# Using mCCF with AKV member key
+## Set env variables
+```
+# AKV_KID
+export CCF_NAME="<your mCCF instance>"
+export KMS_URL=https://${CCF_NAME}.confidential-ledger.azure.com
+export KEYS_DIR=${PWD}/vol
+export AKV_VAULT_NAME="AKV name"
+export AKV_CERTIFICATE_NAME="member0"
+export AKV_CERTIFICATE_VERSION="version of certificate"
+export AKV_KID="https://$AKV_VAULT_NAME.vault.azure.net/certificates/$AKV_KEY_NAME/$KEY_VERSION"
+echo $AKV_KID
+# AKV_AUTHORIZATION
+export AKV_AUTHORIZATION="Bearer ey..."
+```
+## Test signing and access to signing certificate
+```
+curl "$AKV_KID/sign?api-version=7.4" -H "Authorization: $AKV_AUTHORIZATION" -H "Content-type: application/json" -d '{"alg": "ES384",  "value": "AQIDBAUGBwgJCgECAwQFBgcICQoBAgMEBQYHCAkKAQIDBAUGBwgJCgECAwQFBgcI"}'
+```
+## Test AKV key by signing a proposal
+```
+scripts/submit_proposal.sh  --network_url $KMS_URL --certificate_dir $KEYS_DIR --proposal_file governance/policies/settings-policy.json
+```
diff --git a/scripts/add_member_proposal.sh b/scripts/add_member_proposal.sh
@@ -12,16 +12,22 @@ function create_member_proposal {
     local setUserFile=$3
 
     cert=$(< $certFile sed '$!G' | paste -sd '\\n' -)
-    key=$(< $keyFile sed '$!G' | paste -sd '\\n' -)
+
+    if [ -n "$keyFile" ]; then
+        key=$(< $keyFile sed '$!G' | paste -sd '\\n' -)
+        key_entry="\"encryption_pub_key\": \"${key}\n\""
+    else
+        key_entry=""
+    fi
 
     cat <<JSON > $setUserFile
 {
   "actions": [
     {
       "name": "set_member",
       "args": {
-        "cert": "${cert}\n",
-        "encryption_pub_key": "${key}\n"
+        "cert": "${cert}\n"
+        ${key_entry:+, $key_entry}
       }
     }
   ]
@@ -33,13 +39,14 @@ function usage {
     echo ""
     echo "Generate set_member.json proposal for adding members to CCF."
     echo ""
-    echo "usage: ./add_member.sh --cert-file string --pubk-file string"
+    echo "usage: ./add_member.sh --cert-file string [--pubk-file string]"
     echo ""
     echo "  --cert-file     string     the certificate .pem file for the member"
-    echo "  --pubk-file     string     the encryption public key .pem file for the member"
+    echo "  --pubk-file     string     the encryption public key .pem file for the member (optional)"
     echo ""
     exit 0
 }
+
 function failed {
     printf "Script failed: %s\n\n" "$1"
     exit 1
@@ -51,11 +58,14 @@ if [ $# -eq 0 ]; then
     exit 1
 fi
 
+cert_file=""
+pubk_file=""
+
 while [ $# -gt 0 ]
 do
     name="${1/--/}"
     name="${name/-/_}"
-    case "--$name"  in
+    case "--$name" in
         --cert_file) cert_file="$2"; shift;;
         --pubk_file) pubk_file="$2"; shift;;
         --help) usage; exit 0; shift;;
@@ -66,9 +76,7 @@ done
 
 # validate parameters
 if [ -z "$cert_file" ]; then
-	failed "Missing parameter --cert-file"
-elif [ -z "$pubk_file" ]; then
-	failed "Missing parameter --pubk-file"
+    failed "Missing parameter --cert-file"
 fi
 
 echo "Looking for certificate file..."
@@ -78,26 +86,32 @@ if [ -z "$check_existence" ]; then
     exit 0
 fi
 
-echo "Looking for public key file..."
-check_existence=$(ls $pubk_file 2>/dev/null || true)
-if [ -z "$check_existence" ]; then
-    echo "Public key file \"$pubk_file\" does not exist."
-    exit 0
-fi
-
-if [ ${cert_file##*.} != "pem" -o ${pubk_file##*.} != "pem" ]
-then
-    echo "Wrong file extensions. Only \".pem\" files are supported."
-    exit 0
+if [ -n "$pubk_file" ]; then
+    echo "Looking for public key file..."
+    check_existence=$(ls $pubk_file 2>/dev/null || true)
+    if [ -z "$check_existence" ]; then
+        echo "Public key file \"$pubk_file\" does not exist."
+        exit 0
+    fi
+
+    if [ ${cert_file##*.} != "pem" -o ${pubk_file##*.} != "pem" ]; then
+        echo "Wrong file extensions. Only \".pem\" files are supported."
+        exit 0
+    fi
+else
+    if [ ${cert_file##*.} != "pem" ]; then
+        echo "Wrong file extension. Only \".pem\" files are supported."
+        exit 0
+    fi
 fi
 
-certs_folder=`dirname $cert_file`
+certs_folder=$(dirname $cert_file)
 proposal_json_file="${certs_folder}/set_member.json"
 
 echo "Creating member json proposal file..."
-create_member_proposal $cert_file $pubk_file $proposal_json_file
+create_member_proposal $cert_file "${pubk_file:-}" $proposal_json_file
 
 member_id=$(openssl x509 -in "$cert_file" -noout -fingerprint -sha256 | cut -d "=" -f 2 | sed 's/://g' | awk '{print tolower($0)}')
 
 echo "proposal json file created: $proposal_json_file"
-echo "member id: $member_id"
+echo "member id: $member_id"
diff --git a/scripts/create_member_cert_akv.sh b/scripts/create_member_cert_akv.sh
@@ -0,0 +1,120 @@
+#!/bin/bash
+set -e
+
+# Function to display usage
+display_usage() {
+    echo "Create Azure Key Vault certificate with managed identity access policy."
+    echo ""
+    echo "Usage:"
+    echo -e "$0 [-v  | --vault] vault_name   name of the vault"
+    echo -e "$0 [-c  | --create] identity_cert_name  name of the certificate"
+    echo -e "$0 [-rg | --resource-group] resource_group_name name of the resource group"
+    echo -e "$0 [-l  | --location] location  location of the vault"
+    echo -e "$0 [-mi | --managed-identity] managed_identity_name name of the managed identity to access the ceritificate"
+    echo -e "$0 [-h  | --help"
+    echo ""
+}
+
+# Check if the correct number of arguments is provided
+if [ $# -le 1 ]; then
+    display_usage
+    exit 1
+fi
+
+# Parse command-line arguments
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+        -v|--vault) vault_name="$2"; shift ;;
+        -c|--create) cert_name="$2"; shift ;;
+        -rg|--resource_group) resource_group="$2"; shift ;;
+        -l|--location) location="$2"; shift ;;
+        -mi|--managed_identity) managed_identity_name="$2"; shift ;;
+        -h|--help) display_usage; exit 0 ;;
+        *) echo "Unknown parameter passed: $1"; display_usage; exit 1 ;;
+    esac
+    shift
+done
+
+echo "Vault Name: $vault_name"
+echo "Certificate Name: $cert_name"
+echo "Resource Group: $resource_group"
+echo "Location: $location"
+echo "Managed Identity Name: $managed_identity_name"
+
+# Check if required arguments are provided
+if [ -z "$vault_name" ] || [ -z "$cert_name" ] || [ -z "$resource_group" ] || [ -z "$location" ] || [ -z "$managed_identity_name" ]; then
+    echo "Error: Vault name, certificate name, resource group, location, and managed identity name are required."
+    display_usage
+    exit 1
+fi
+
+# Check if the Key Vault exists and if it has '--enable-rbac-authorization' specified
+vault_properties=$(az keyvault show --name "$vault_name" --resource-group "$resource_group" --query "properties" -o json)
+if echo "$vault_properties" | grep -q '"enableRbacAuthorization": true'; then
+    echo "The Key Vault is configured with '--enable-rbac-authorization'."
+    echo "You cannot set access policies directly on this Key Vault."
+    echo "Ensuring that the necessary RBAC roles are assigned to the managed identity."
+
+    # Get the managed identity principal ID
+    managed_identity_principal_id=$(az identity show --name "$managed_identity_name" --resource-group "$resource_group" --query "principalId" -o tsv)
+    if [ -z "$managed_identity_principal_id" ]; then
+        echo "Error: Failed to retrieve the managed identity principal ID."
+        exit 1
+    fi
+
+    # Array of roles to assign
+    roles=("Key Vault Certificate User" "Key Vault Crypto User" "Reader")
+
+    # Loop through each role and assign it to the managed identity
+    for role in "${roles[@]}"; do
+        az role assignment create --role "$role" --assignee "$managed_identity_principal_id" --scope "/subscriptions/$(az account show --query 'id' -o tsv)/resourceGroups/$resource_group/providers/Microsoft.KeyVault/vaults/$vault_name"
+        if [ $? -ne 0 ]; then
+            echo "Error: Failed to assign the '$role' role to the managed identity."
+            exit 1
+        fi
+    done
+
+    echo "Successfully assigned the 'Key Vault Certificate User' role to the managed identity."
+fi
+
+# Your script logic to create the certificate goes here
+
+# Create the JSON file dynamically
+JSON_FILE="/tmp/identity_cert_policy.json"
+cat <<EOF > $JSON_FILE
+{
+  "issuerParameters": {
+    "certificateTransparency": null,
+    "name": "Self"
+  },
+  "keyProperties": {
+    "curve": "P-384",
+    "exportable": false,
+    "keyType": "EC",
+    "reuseKey": true
+  },
+  "lifetimeActions": [
+    {
+      "action": {
+        "actionType": "AutoRenew"
+      },
+      "trigger": {
+        "daysBeforeExpiry": 90
+      }
+    }
+  ],
+  "secretProperties": {
+    "contentType": "application/x-pkcs12"
+  },
+  "x509CertificateProperties": {
+    "keyUsage": ["digitalSignature"],
+    "subject": "CN=Member",
+    "validityInMonths": 12
+  }
+}
+EOF
+
+# Create the certificate in Azure Key Vault
+az keyvault certificate create --vault-name $vault_name -n $cert_name -p @$JSON_FILE
+az keyvault key show --vault-name $vault_name --name $cert_name
+rm $JSON_FILE
diff --git a/scripts/register_member_akv.sh b/scripts/register_member_akv.sh
diff --git a/scripts/sign_proposal_akv.sh b/scripts/sign_proposal_akv.sh
diff --git a/scripts/submit_proposal.sh b/scripts/submit_proposal.sh
