Add support for loading and verifying signed Wasm modules. (#147)

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
proxy-wasm · May 15, 2021 · e4042ae · e4042ae
1 parent deb0aea
commit e4042ae
Show file tree

Hide file tree

Showing 27 changed files with 1,151 additions and 7 deletions.
diff --git a/.github/workflows/cpp.yml b/.github/workflows/cpp.yml
@@ -75,3 +75,6 @@ jobs:
       run: |
         bazel test --define runtime=${{ matrix.runtime }} //...
 
+    - name: Test (signed Wasm module)
+      run: |
+        bazel test --define runtime=${{ matrix.runtime }} --cxxopt=-DPROXY_WASM_VERIFY_WITH_ED25519_PUBKEY=\"$(xxd -p -c 256 test/test_data/signature_key1.pub | cut -b9-)\" //test:signature_util_test
diff --git a/bazel/cargo/BUILD.bazel b/bazel/cargo/BUILD.bazel
@@ -39,6 +39,26 @@ alias(
     ],
 )
 
+alias(
+    name = "wasmsign",
+    actual = "@proxy_wasm_cpp_host__wasmsign__0_1_2//:wasmsign",
+    tags = [
+        "cargo-raze",
+        "manual",
+    ],
+)
+
+alias(
+    # Extra aliased target, from raze configuration
+    # N.B.: The exact form of this is subject to change.
+    name = "cargo_bin_wasmsign",
+    actual = "@proxy_wasm_cpp_host__wasmsign__0_1_2//:cargo_bin_wasmsign",
+    tags = [
+        "cargo-raze",
+        "manual",
+    ],
+)
+
 alias(
     name = "wasmtime",
     actual = "@proxy_wasm_cpp_host__wasmtime__0_26_0//:wasmtime",

diff --git a/bazel/cargo/Cargo.raze.lock b/bazel/cargo/Cargo.raze.lock
@@ -33,6 +33,15 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "ansi_term"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b"
+dependencies = [
+ "winapi",
+]
+
 [[package]]
 name = "anyhow"
 version = "1.0.40"
@@ -104,6 +113,21 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 
+[[package]]
+name = "clap"
+version = "2.33.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002"
+dependencies = [
+ "ansi_term",
+ "atty",
+ "bitflags",
+ "strsim",
+ "textwrap",
+ "unicode-width",
+ "vec_map",
+]
+
 [[package]]
 name = "cpp_demangle"
 version = "0.3.2"
@@ -219,6 +243,15 @@ dependencies = [
  "cfg-if",
 ]
 
+[[package]]
+name = "ed25519-compact"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aaf396058cc7285b342f9a10ed7a377f088942396c46c4c9a7eb4f0782cb1171"
+dependencies = [
+ "getrandom",
+]
+
 [[package]]
 name = "either"
 version = "1.6.1"
@@ -293,6 +326,12 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "hmac-sha512"
+version = "0.1.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77e806677ce663d0a199541030c816847b36e8dc095f70dae4a4f4ad63da5383"
+
 [[package]]
 name = "humantime"
 version = "2.1.0"
@@ -402,6 +441,12 @@ version = "1.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "af8b08b04175473088b46763e51ee54da5f9a164bc162f615b91bc179dbf15a3"
 
+[[package]]
+name = "parity-wasm"
+version = "0.42.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be5e13c266502aadf83426d87d81a0f5d1ef45b8027f5a471c360abfe4bfae92"
+
 [[package]]
 name = "paste"
 version = "1.0.5"
@@ -566,6 +611,12 @@ version = "1.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
 
+[[package]]
+name = "strsim"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a"
+
 [[package]]
 name = "syn"
 version = "1.0.72"
@@ -592,6 +643,15 @@ dependencies = [
  "winapi-util",
 ]
 
+[[package]]
+name = "textwrap"
+version = "0.11.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060"
+dependencies = [
+ "unicode-width",
+]
+
 [[package]]
 name = "thiserror"
 version = "1.0.24"
@@ -612,12 +672,24 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "unicode-width"
+version = "0.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3"
+
 [[package]]
 name = "unicode-xid"
 version = "0.2.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
 
+[[package]]
+name = "vec_map"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191"
+
 [[package]]
 name = "wasi"
 version = "0.10.2+wasi-snapshot-preview1"
@@ -630,6 +702,20 @@ version = "0.77.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b35c86d22e720a07d954ebbed772d01180501afe7d03d464f413bb5f8914a8d6"
 
+[[package]]
+name = "wasmsign"
+version = "0.1.2"
+source = "git+https://github.com/jedisct1/wasmsign#fa4d5598f778390df09be94232972b5b865a56b8"
+dependencies = [
+ "anyhow",
+ "byteorder",
+ "clap",
+ "ed25519-compact",
+ "hmac-sha512",
+ "parity-wasm",
+ "thiserror",
+]
+
 [[package]]
 name = "wasmtime"
 version = "0.26.0"
@@ -667,6 +753,7 @@ dependencies = [
  "anyhow",
  "env_logger",
  "once_cell",
+ "wasmsign",
  "wasmtime",
  "wasmtime-c-api-macros",
 ]

diff --git a/bazel/cargo/Cargo.toml b/bazel/cargo/Cargo.toml
@@ -12,10 +12,14 @@ anyhow = "1.0"
 once_cell = "1.3"
 wasmtime = {version = "0.26.0", default-features = false}
 wasmtime-c-api-macros = {git = "https://github.com/bytecodealliance/wasmtime", tag = "v0.26.0", path = "crates/c-api/macros"}
+wasmsign = {git = "https://github.com/jedisct1/wasmsign", revision = "fa4d5598f778390df09be94232972b5b865a56b8"}
 
 [package.metadata.raze]
 rust_rules_workspace_name = "rules_rust"
 gen_workspace_prefix = "proxy_wasm_cpp_host"
 genmode = "Remote"
 package_aliases_dir = "."
 workspace_path = "//bazel/cargo"
+
+[package.metadata.raze.crates.wasmsign.'*']
+extra_aliased_targets = ["cargo_bin_wasmsign"]
diff --git a/bazel/cargo/crates.bzl b/bazel/cargo/crates.bzl
@@ -51,6 +51,16 @@ def proxy_wasm_cpp_host_fetch_remote_crates():
         build_file = Label("//bazel/cargo/remote:BUILD.aho-corasick-0.7.18.bazel"),
     )
 
+    maybe(
+        http_archive,
+        name = "proxy_wasm_cpp_host__ansi_term__0_11_0",
+        url = "https://crates.io/api/v1/crates/ansi_term/0.11.0/download",
+        type = "tar.gz",
+        sha256 = "ee49baf6cb617b853aa8d93bf420db2383fab46d314482ca2803b40d5fde979b",
+        strip_prefix = "ansi_term-0.11.0",
+        build_file = Label("//bazel/cargo/remote:BUILD.ansi_term-0.11.0.bazel"),
+    )
+
     maybe(
         http_archive,
         name = "proxy_wasm_cpp_host__anyhow__1_0_40",
@@ -141,6 +151,16 @@ def proxy_wasm_cpp_host_fetch_remote_crates():
         build_file = Label("//bazel/cargo/remote:BUILD.cfg-if-1.0.0.bazel"),
     )
 
+    maybe(
+        http_archive,
+        name = "proxy_wasm_cpp_host__clap__2_33_3",
+        url = "https://crates.io/api/v1/crates/clap/2.33.3/download",
+        type = "tar.gz",
+        sha256 = "37e58ac78573c40708d45522f0d80fa2f01cc4f9b4e2bf749807255454312002",
+        strip_prefix = "clap-2.33.3",
+        build_file = Label("//bazel/cargo/remote:BUILD.clap-2.33.3.bazel"),
+    )
+
     maybe(
         http_archive,
         name = "proxy_wasm_cpp_host__cpp_demangle__0_3_2",
@@ -241,6 +261,16 @@ def proxy_wasm_cpp_host_fetch_remote_crates():
         build_file = Label("//bazel/cargo/remote:BUILD.crc32fast-1.2.1.bazel"),
     )
 
+    maybe(
+        http_archive,
+        name = "proxy_wasm_cpp_host__ed25519_compact__0_1_9",
+        url = "https://crates.io/api/v1/crates/ed25519-compact/0.1.9/download",
+        type = "tar.gz",
+        sha256 = "aaf396058cc7285b342f9a10ed7a377f088942396c46c4c9a7eb4f0782cb1171",
+        strip_prefix = "ed25519-compact-0.1.9",
+        build_file = Label("//bazel/cargo/remote:BUILD.ed25519-compact-0.1.9.bazel"),
+    )
+
     maybe(
         http_archive,
         name = "proxy_wasm_cpp_host__either__1_6_1",
@@ -331,6 +361,16 @@ def proxy_wasm_cpp_host_fetch_remote_crates():
         build_file = Label("//bazel/cargo/remote:BUILD.hermit-abi-0.1.18.bazel"),
     )
 
+    maybe(
+        http_archive,
+        name = "proxy_wasm_cpp_host__hmac_sha512__0_1_9",
+        url = "https://crates.io/api/v1/crates/hmac-sha512/0.1.9/download",
+        type = "tar.gz",
+        sha256 = "77e806677ce663d0a199541030c816847b36e8dc095f70dae4a4f4ad63da5383",
+        strip_prefix = "hmac-sha512-0.1.9",
+        build_file = Label("//bazel/cargo/remote:BUILD.hmac-sha512-0.1.9.bazel"),
+    )
+
     maybe(
         http_archive,
         name = "proxy_wasm_cpp_host__humantime__2_1_0",
@@ -471,6 +511,16 @@ def proxy_wasm_cpp_host_fetch_remote_crates():
         build_file = Label("//bazel/cargo/remote:BUILD.once_cell-1.7.2.bazel"),
     )
 
+    maybe(
+        http_archive,
+        name = "proxy_wasm_cpp_host__parity_wasm__0_42_2",
+        url = "https://crates.io/api/v1/crates/parity-wasm/0.42.2/download",
+        type = "tar.gz",
+        sha256 = "be5e13c266502aadf83426d87d81a0f5d1ef45b8027f5a471c360abfe4bfae92",
+        strip_prefix = "parity-wasm-0.42.2",
+        build_file = Label("//bazel/cargo/remote:BUILD.parity-wasm-0.42.2.bazel"),
+    )
+
     maybe(
         http_archive,
         name = "proxy_wasm_cpp_host__paste__1_0_5",
@@ -661,6 +711,16 @@ def proxy_wasm_cpp_host_fetch_remote_crates():
         build_file = Label("//bazel/cargo/remote:BUILD.stable_deref_trait-1.2.0.bazel"),
     )
 
+    maybe(
+        http_archive,
+        name = "proxy_wasm_cpp_host__strsim__0_8_0",
+        url = "https://crates.io/api/v1/crates/strsim/0.8.0/download",
+        type = "tar.gz",
+        sha256 = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a",
+        strip_prefix = "strsim-0.8.0",
+        build_file = Label("//bazel/cargo/remote:BUILD.strsim-0.8.0.bazel"),
+    )
+
     maybe(
         http_archive,
         name = "proxy_wasm_cpp_host__syn__1_0_72",
@@ -691,6 +751,16 @@ def proxy_wasm_cpp_host_fetch_remote_crates():
         build_file = Label("//bazel/cargo/remote:BUILD.termcolor-1.1.2.bazel"),
     )
 
+    maybe(
+        http_archive,
+        name = "proxy_wasm_cpp_host__textwrap__0_11_0",
+        url = "https://crates.io/api/v1/crates/textwrap/0.11.0/download",
+        type = "tar.gz",
+        sha256 = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060",
+        strip_prefix = "textwrap-0.11.0",
+        build_file = Label("//bazel/cargo/remote:BUILD.textwrap-0.11.0.bazel"),
+    )
+
     maybe(
         http_archive,
         name = "proxy_wasm_cpp_host__thiserror__1_0_24",
@@ -711,6 +781,16 @@ def proxy_wasm_cpp_host_fetch_remote_crates():
         build_file = Label("//bazel/cargo/remote:BUILD.thiserror-impl-1.0.24.bazel"),
     )
 
+    maybe(
+        http_archive,
+        name = "proxy_wasm_cpp_host__unicode_width__0_1_8",
+        url = "https://crates.io/api/v1/crates/unicode-width/0.1.8/download",
+        type = "tar.gz",
+        sha256 = "9337591893a19b88d8d87f2cec1e73fad5cdfd10e5a6f349f498ad6ea2ffb1e3",
+        strip_prefix = "unicode-width-0.1.8",
+        build_file = Label("//bazel/cargo/remote:BUILD.unicode-width-0.1.8.bazel"),
+    )
+
     maybe(
         http_archive,
         name = "proxy_wasm_cpp_host__unicode_xid__0_2_2",
@@ -721,6 +801,16 @@ def proxy_wasm_cpp_host_fetch_remote_crates():
         build_file = Label("//bazel/cargo/remote:BUILD.unicode-xid-0.2.2.bazel"),
     )
 
+    maybe(
+        http_archive,
+        name = "proxy_wasm_cpp_host__vec_map__0_8_2",
+        url = "https://crates.io/api/v1/crates/vec_map/0.8.2/download",
+        type = "tar.gz",
+        sha256 = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191",
+        strip_prefix = "vec_map-0.8.2",
+        build_file = Label("//bazel/cargo/remote:BUILD.vec_map-0.8.2.bazel"),
+    )
+
     maybe(
         http_archive,
         name = "proxy_wasm_cpp_host__wasi__0_10_2_wasi_snapshot_preview1",
@@ -741,6 +831,15 @@ def proxy_wasm_cpp_host_fetch_remote_crates():
         build_file = Label("//bazel/cargo/remote:BUILD.wasmparser-0.77.0.bazel"),
     )
 
+    maybe(
+        new_git_repository,
+        name = "proxy_wasm_cpp_host__wasmsign__0_1_2",
+        remote = "https://github.com/jedisct1/wasmsign",
+        commit = "fa4d5598f778390df09be94232972b5b865a56b8",
+        build_file = Label("//bazel/cargo/remote:BUILD.wasmsign-0.1.2.bazel"),
+        init_submodules = True,
+    )
+
     maybe(
         http_archive,
         name = "proxy_wasm_cpp_host__wasmtime__0_26_0",