wsc 0.9.0

WebAssembly Signature Component - WASM signing and verification toolkit
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364

//! Custom TLS transport with certificate pinning support
//!
//! This module provides a pinned HTTP client that enforces certificate pinning
//! for Sigstore endpoints (Fulcio, Rekor). It creates a custom rustls connector
//! that uses our `PinnedCertVerifier` for defense-in-depth against CA compromise.
//!
//! # Security
//!
//! Certificate pinning provides defense-in-depth against:
//! - CA compromise (even a trusted CA cannot issue rogue certificates)
//! - DNS/BGP hijacking with valid-looking certificates
//! - Targeted MITM attacks on specific infrastructure
//!
//! # Architecture
//!
//! This module creates a custom connector chain:
//! 1. `TcpConnector` - Opens raw TCP socket
//! 2. `PinnedRustlsConnector` - Wraps socket in TLS with certificate pinning
//!
//! The pinning is enforced at the TLS layer during the handshake, before any
//! HTTP data is exchanged.
//!
//! # Usage
//!
//! ```ignore
//! use wsc::signature::keyless::transport::create_pinned_agent;
//! use wsc::signature::keyless::cert_pinning::PinningConfig;
//!
//! let config = PinningConfig::fulcio_production();
//! let agent = create_pinned_agent(config)?;
//! let response = agent.get("https://fulcio.sigstore.dev/api/v2/...").call()?;
//! ```

use crate::error::WSError;

#[cfg(not(target_os = "wasi"))]
use crate::signature::keyless::cert_pinning::{create_pinned_rustls_config, PinningConfig};
#[cfg(not(target_os = "wasi"))]
use rustls::{ClientConfig, ClientConnection, StreamOwned};
#[cfg(not(target_os = "wasi"))]
use rustls_pki_types::ServerName;
#[cfg(not(target_os = "wasi"))]
use std::convert::TryInto;
#[cfg(not(target_os = "wasi"))]
use std::fmt;
#[cfg(not(target_os = "wasi"))]
use std::sync::Arc;
#[cfg(not(target_os = "wasi"))]
use ureq::unversioned::transport::{
    Buffers, ConnectionDetails, Connector, Either, LazyBuffers, NextTimeout, TcpConnector,
    Transport, TransportAdapter,
};

/// Custom rustls connector with certificate pinning.
///
/// This connector wraps TLS connections with our `PinnedCertVerifier` which
/// validates certificates against known SHA256 fingerprints in addition to
/// standard WebPKI validation.
#[cfg(not(target_os = "wasi"))]
pub struct PinnedRustlsConnector {
    /// Cached rustls ClientConfig with pinned verifier
    config: Arc<ClientConfig>,
}

#[cfg(not(target_os = "wasi"))]
impl PinnedRustlsConnector {
    /// Create a new connector with certificate pinning enabled.
    ///
    /// # Arguments
    /// * `pinning` - Certificate pinning configuration
    ///
    /// # Errors
    /// Returns error if TLS configuration fails
    pub fn new(pinning: PinningConfig) -> Result<Self, WSError> {
        let config = create_pinned_rustls_config(pinning)?;

        log::info!("Created PinnedRustlsConnector with certificate pinning");

        Ok(Self { config })
    }
}

#[cfg(not(target_os = "wasi"))]
impl fmt::Debug for PinnedRustlsConnector {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_struct("PinnedRustlsConnector")
            .field("config", &"ClientConfig with PinnedCertVerifier")
            .finish()
    }
}

/// TLS transport wrapper for pinned connections.
#[cfg(not(target_os = "wasi"))]
pub struct PinnedRustlsTransport {
    buffers: LazyBuffers,
    stream: StreamOwned<ClientConnection, TransportAdapter<Box<dyn Transport>>>,
}

#[cfg(not(target_os = "wasi"))]
impl PinnedRustlsTransport {
    /// Create a new pinned TLS transport.
    pub fn new(
        buffers: LazyBuffers,
        stream: StreamOwned<ClientConnection, TransportAdapter<Box<dyn Transport>>>,
    ) -> Self {
        Self { buffers, stream }
    }
}

#[cfg(not(target_os = "wasi"))]
impl fmt::Debug for PinnedRustlsTransport {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_struct("PinnedRustlsTransport").finish()
    }
}

#[cfg(not(target_os = "wasi"))]
impl<In: Transport> Connector<In> for PinnedRustlsConnector {
    type Out = Either<In, PinnedRustlsTransport>;

    fn connect(
        &self,
        details: &ConnectionDetails,
        chained: Option<In>,
    ) -> Result<Option<Self::Out>, ureq::Error> {
        let Some(transport) = chained else {
            panic!("PinnedRustlsConnector requires a chained transport");
        };

        // Only add TLS if connecting via HTTPS and not already TLS
        if !details.needs_tls() || transport.is_tls() {
            log::trace!("PinnedRustlsConnector: Skip (not HTTPS or already TLS)");
            return Ok(Some(Either::A(transport)));
        }

        log::trace!("PinnedRustlsConnector: Wrapping connection in pinned TLS");

        // Get server name from URI
        let name_borrowed: ServerName<'_> = details
            .uri
            .authority()
            .expect("uri authority for tls")
            .host()
            .try_into()
            .map_err(|e| {
                log::debug!("PinnedRustlsConnector: invalid dns name: {}", e);
                ureq::Error::Tls("Invalid DNS name for TLS")
            })?;
        let name = name_borrowed.to_owned();

        // Create TLS connection with our pinned config
        let conn = ClientConnection::new(self.config.clone(), name)?;
        let stream = StreamOwned {
            conn,
            sock: TransportAdapter::new(transport.boxed()),
        };

        let buffers = LazyBuffers::new(
            details.config.input_buffer_size(),
            details.config.output_buffer_size(),
        );

        let transport = PinnedRustlsTransport { buffers, stream };

        log::debug!("PinnedRustlsConnector: Wrapped TLS with certificate pinning");

        Ok(Some(Either::B(transport)))
    }
}

#[cfg(not(target_os = "wasi"))]
impl Transport for PinnedRustlsTransport {
    fn buffers(&mut self) -> &mut dyn Buffers {
        &mut self.buffers
    }

    fn transmit_output(&mut self, amount: usize, timeout: NextTimeout) -> Result<(), ureq::Error> {
        use std::io::Write;

        self.stream.sock.set_timeout(timeout);
        let output = self.buffers.output();
        self.stream.write_all(&output[..amount])?;
        self.stream.flush()?;
        Ok(())
    }

    fn await_input(&mut self, timeout: NextTimeout) -> Result<bool, ureq::Error> {
        use std::io::Read;

        self.stream.sock.set_timeout(timeout);
        let input = self.buffers.input_append_buf();
        let amount = self.stream.read(input)?;
        self.buffers.input_appended(amount);
        Ok(amount > 0)
    }

    fn is_open(&mut self) -> bool {
        !self.stream.conn.is_handshaking()
    }

    fn is_tls(&self) -> bool {
        true
    }
}

/// Create a ureq Agent with certificate pinning enabled.
///
/// This function creates an HTTP client that:
/// 1. Performs standard WebPKI certificate validation
/// 2. Additionally checks certificates against pinned SHA256 fingerprints
/// 3. Fails the connection if pins don't match (when enforce mode is on)
///
/// # Arguments
/// * `pinning` - Certificate pinning configuration with SHA256 fingerprints
///
/// # Returns
/// A configured ureq::Agent that enforces certificate pinning
///
/// # Errors
/// Returns `WSError::CertificatePinningError` if TLS configuration fails
#[cfg(not(target_os = "wasi"))]
pub fn create_pinned_agent(pinning: PinningConfig) -> Result<ureq::Agent, WSError> {
    use ureq::unversioned::resolver::DefaultResolver;

    // Create custom connector chain: TCP -> Pinned TLS
    let connector = ()
        .chain(TcpConnector::default())
        .chain(PinnedRustlsConnector::new(pinning)?);

    // Build agent with custom connector
    let config = ureq::config::Config::builder()
        .http_status_as_error(false)
        .build();

    let resolver = DefaultResolver::default();
    let agent = ureq::Agent::with_parts(config, connector, resolver);

    log::info!("Created HTTP agent with certificate pinning enabled");

    Ok(agent)
}

/// Create a ureq Agent without certificate pinning (fallback).
///
/// This function creates a standard HTTP client without custom TLS configuration.
/// Use this when certificate pinning is disabled or not available.
///
/// # Returns
/// A configured ureq::Agent with standard WebPKI validation
#[cfg(not(target_os = "wasi"))]
pub fn create_standard_agent() -> ureq::Agent {
    ureq::Agent::config_builder()
        .http_status_as_error(false)
        .build()
        .into()
}

/// Create an HTTP agent with optional certificate pinning.
///
/// This is the recommended function for creating HTTP clients:
/// - When a non-empty `PinningConfig` is supplied, pinning is **mandatory** —
///   the pinned agent is built or a hard error is returned. There is no
///   silent downgrade to unpinned TLS. (This closes audit finding C-4.)
/// - When no pins are supplied, the caller has explicitly opted out and a
///   standard WebPKI agent is returned.
///
/// # Arguments
/// * `pinning` - Optional certificate pinning configuration
///
/// # Returns
/// A configured ureq::Agent
///
/// # Errors
/// Returns `WSError::CertificatePinningError` if a non-empty pin set is
/// supplied but the pinned agent cannot be constructed.
///
/// # Deprecated environment variable
/// `WSC_REQUIRE_CERT_PINNING` is retained for backwards compatibility but is
/// redundant: pinning is now unconditionally enforced whenever a non-empty
/// pin set is supplied. The Sigstore production path (`PinningConfig::fulcio`,
/// `PinningConfig::rekor`) always supplies one. The variable now only affects
/// the explicit no-pins opt-out branch below.
#[cfg(not(target_os = "wasi"))]
pub fn create_agent_with_optional_pinning(
    pinning: Option<PinningConfig>,
) -> Result<ureq::Agent, WSError> {
    match pinning {
        // Pins are configured: pinning is MANDATORY. A configured pin set
        // must never silently downgrade to unpinned TLS — that silent
        // posture downgrade was audit finding C-4. Any failure to build the
        // pinned agent is propagated as a hard error.
        Some(config) if config.is_enabled() => create_pinned_agent(config),
        // No pins configured: the caller explicitly opted out of pinning.
        _ => {
            if std::env::var("WSC_REQUIRE_CERT_PINNING").unwrap_or_default() == "1" {
                return Err(WSError::CertificatePinningError(
                    "Certificate pinning required (WSC_REQUIRE_CERT_PINNING=1) but no pins configured".to_string(),
                ));
            }
            log::debug!("Certificate pinning disabled, using standard TLS");
            Ok(create_standard_agent())
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_create_standard_agent() {
        let agent = create_standard_agent();
        // Just verify it can be created
        assert!(format!("{:?}", agent).contains("Agent"));
    }

    #[test]
    fn test_create_pinned_agent() {
        // Create with test pins
        let pins = vec!["a".repeat(64), "b".repeat(64)];
        let config = PinningConfig::custom(pins, "test-service".to_string());

        let result = create_pinned_agent(config);
        assert!(result.is_ok());
    }

    #[test]
    fn test_create_agent_with_optional_pinning_none() {
        // Should fall back to standard agent when no pinning configured
        let result = create_agent_with_optional_pinning(None);
        assert!(result.is_ok());
    }

    #[test]
    fn test_create_agent_with_optional_pinning_some() {
        let pins = vec!["a".repeat(64)];
        let config = PinningConfig::custom(pins, "test".to_string());

        let result = create_agent_with_optional_pinning(Some(config));
        assert!(result.is_ok());
    }

    #[test]
    fn test_create_agent_with_empty_pinning_config() {
        // Empty config should fall back to standard agent
        let config = PinningConfig::custom(vec![], "test".to_string());

        let result = create_agent_with_optional_pinning(Some(config));
        assert!(result.is_ok());
    }

    #[test]
    fn test_pinned_connector_creation() {
        let pins = vec!["a".repeat(64)];
        let config = PinningConfig::custom(pins, "test".to_string());

        let connector = PinnedRustlsConnector::new(config);
        assert!(connector.is_ok());

        // Check debug output
        let connector = connector.unwrap();
        assert!(format!("{:?}", connector).contains("PinnedRustlsConnector"));
    }
}