Add TLS support for CTLog

[fghanmi]

Summary

This pull request introduces support for enabling TLS in communications with CTLog. By adding a new command-line flag --tls-ca-cert and implementing the necessary logic to handle CTLog certificates verification , this update enhances security.

Release Note

• Feature: Added support for TLS in communication with the CTLog.
• New Flag: --tls-ca-cert to specify the CA certificate file path for secure connections.
• Behavior: If the --tls-ca-cert flag is not provided, the system will default to insecure connections.
• Security: This update significantly enhances the security of data in transit by enabling TLS.

Resolves issue: #1717

Documentation

[codecov]

Codecov Report

Attention: Patch coverage is 4.76190% with 20 lines in your changes missing coverage. Please review.

Project coverage is 50.21%. Comparing base (cf238ac) to head (3609bc5).
Report is 159 commits behind head on main.

Files	Patch %	Lines
cmd/app/serve.go	4.76%	20 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1718      +/-   ##
==========================================
- Coverage   57.93%   50.21%   -7.72%     
==========================================
  Files          50       70      +20     
  Lines        3119     4150    +1031     
==========================================
+ Hits         1807     2084     +277     
- Misses       1154     1837     +683     
- Partials      158      229      +71     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[haydentherapper]

Hey @fghanmi, sorry for the delay! Is there anything from sigstore/rekor#2164 that we should pull into this PR so this is in sync? Other question, is there any place we can add minimal tests?

[bobcallaway]

we should either scope this cmd line arg and/or update the help text to note that this only applies for connections to the ctlog

[fghanmi]

sigstore/rekor#2164
@haydentherapper,
I believe there is nothing to be added from sigstore/rekor#2164
Concerning the tests, I tried to run make up to docker-compose up, but the current configuration fails, I am not sure if I am running it wrong;
failed to load PEM certs file: open /etc/config/root.pem: permission denied

[haydentherapper]

@fghanmi Hm, I didn't get such an error, I ran docker-compose build; docker-compose up. Do you want to try again?

[fghanmi]

@fghanmi Hm, I didn't get such an error, I ran docker-compose build; docker-compose up. Do you want to try again?

I had permissions issues on my host.. it's working fine now.

---

One more thing, I've noticed that ct_log server is not properly serving TLS when it's enabled. I've opened a small fix PR on certificate-transparency-go and when it's merged, I'll resume tests on this PR.

[haydentherapper]

Sounds good, just ping this thread once you’ve tested it.

[fghanmi]

Sounds good, just ping this thread once you’ve tested it.

@haydentherapper, the update on certificate-transparency-go has been merged and I've tests the TLS communication between Fulcio and ct_server and it works fine now.

Inside Fulcio pod:

root@a899b97acafd:/go# curl  -v https://ct_server:6962/test --cacert /config/tls/ca.crt
*   Trying 192.168.64.7:6962...
* Connected to ct_server (192.168.64.7) port 6962 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /config/tls/ca.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: OU=Server; CN=*; emailAddress=tls@gmail.com
*  start date: Jul 30 18:59:47 2024 GMT
*  expire date: Sep 28 18:59:47 2024 GMT
*  subjectAltName: host "ct_server" matched cert's "ct_server"
*  issuer: CN=My CA
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /test]
* h2h3 [:scheme: https]
* h2h3 [:authority: ct_server:6962]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x557648bc0c80)
> GET /test HTTP/2
> Host: ct_server:6962
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 404 
< vary: Origin
< content-length: 0
< date: Tue, 30 Jul 2024 19:54:48 GMT
< 
* Connection #0 to host ct_server left intact

[haydentherapper]

Thanks! Can you resolve the conflict as well?